Use mapping for req.ssl_sni instead of req.hdr(host)?

I have a frontend in http mode where I use this with great success:
use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/maps.map,be_default)]

Is it possible to do the same for tcp mode and do mapping on req.ssl_sni somehow?

(HA-Proxy version 1.7.5-2 2017/05/17)

Yes, but req.ssl_sni is for TCP mode without SSL termination.

Use ssl_fc_sni to get the SNI value of a SSL terminated sessions.

I would strongly recommend to not do this however. If you have certificates with multiple SAN’s or wildcard certificates you may end up routing to the wrong backend. Please always use the host header when you are routing HTTP traffic.

1 Like

Anyone having a working example of this, since i can not get ssl_fc_sni to work with any dynamic solution, direct map or thru map file, however it works perfectly when doing ACL’s
like: ssl_fc_sni -i demo.abc.xyz

Unfortunatly I can’t use host header for the DDP Websocket traffic iam routing.

the ssl_fc_sni works perfectly in an acl / action - but i can’t seem to get a dynamic solution to work.