Use mapping for req.ssl_sni instead of req.hdr(host)?


#1

I have a frontend in http mode where I use this with great success:
use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/maps.map,be_default)]

Is it possible to do the same for tcp mode and do mapping on req.ssl_sni somehow?

(HA-Proxy version 1.7.5-2 2017/05/17)


#2

Yes, but req.ssl_sni is for TCP mode without SSL termination.

Use ssl_fc_sni to get the SNI value of a SSL terminated sessions.

I would strongly recommend to not do this however. If you have certificates with multiple SAN’s or wildcard certificates you may end up routing to the wrong backend. Please always use the host header when you are routing HTTP traffic.