TCP routing by domain?

Helllo, I’m having trouble routing traffic based on domain, working with TCP.
Idea is - always use “main” backend, and only use recaptcha backend for domains matching the ACL.

Tried using -
req.ssl_sni -i
req.ssl_sni -m sub -i
req.payload(5,16) -m sub

nothing seems to work, please help

 global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

    defaults
        log     global
        mode    tcp
        option  tcplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
#log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"


listen stats
bind  :9000
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth login:pass



    frontend squid
        bind *:8000
mode tcp
    option tcplog

#    option httplog

        default_backend main


#acl whoer req.payload(5,16) -m sub whoer.net
acl whoer req.ssl_sni -i whoer.net




use_backend recaptcha if whoer










    backend main

stick-table type ip size 2 nopurge
stick on dst

    option httpchk GET / HTTP/1.1\r\nHost:\ google.com

        balance roundrobin
    #   balance first
        mode tcp
        default-server  fall 5 rise 1
timeout check 7s

        server squid1 private.myserver:1001 check inter 15s


#       server googler  google.com check inter 5s

backend recaptcha
stick-table type ip size 2 nopurge
stick on dst

  mode tcp
        server recap1 private.myserver.net:1005

This is not possible, you cannot route arbitrary TCP traffic by “domain”.

You can route SSL traffic based on the SNI field, if present, but that’s it.

Sorry, yes, that’s what I’m trying to achieve actually, either SNI or destination IP address would work.
Anything obviously wrong in the configuration?

If this is SSL with SNI, and you want to access the SNI value, you need to wait for the entire ssl client_hello, as per the documentation:

tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl whoer req.ssl_sni -i whoer.net
use_backend recaptcha if whoer

Thank you so much for trying to help me with this, it mean a lot !

Using this minimalistic configuration, but all requests are still going through main backend ignoring the ACL, seems like I have an issue with the whole SSL thing.
I should have probably mentioned earlier that the backend servers are just proxies (running 3proxy). Probably I’m in deep trouble with this

defaults
 maxconn 1000
 mode tcp
 log global
 option dontlognull # bind *:443 ssl crt .
 timeout http-request 5s
 timeout connect 5000
 timeout client 2000000 # ddos protection
 timeout server 2000000 # stick-table type ip size 100k expire 30s store conn_cur

frontend foo_ft_https
        mode tcp
        option tcplog
        bind *:443

tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }

acl whoer req.ssl_sni -i whoer.net
use_backend recap if whoer


        default_backend main

backend main
        mode tcp
        option tcplog

 server server1 private.server.net:1013

backend recap
        mode tcp
        option tcplog

 server server1 private.server.net:1005

Like I said it’s routing based on the SNI value of the SSL client_hello. If it isn’t there, it won’t work.

If you encrypt the traffic between the client and a forwarding proxy, SNI - if at all present - will probably contain the hostname of the proxy, not the website that you are trying to reach through that.

Capture the traffic with wireshark and check what the SNI value the client_hello contains.