Hi all, I have a HAproxy 1.5 setup which offloads SSL in front of multiple webservers. My SSL certificate is a wildcard and we are balancing to different backends based on the FQDN.
My frontend config look like this : ... frontend my-frontend bind ip:443 ssl crt /var/etc/haproxy/wildcard_domain_org.pem mode http log global option httplog option forwardfor use_backend my-backend if { ssl_fc_sni my.domain.org } use_backend my-backend2 if { ssl_fc_sni my2.domain.org } # Fallback for non-SNI clients acl is-domain hdr(host) -i my.domain.org acl is-domain2 hdr(host) -i my2.domain.org use_backend my-backend if is-domain use_backend my-backend2 if is-domain2 … I wanted to know if : - ssl_fc_sni perform faster than HTTP Header extraction? - HAProxy will check my ACLs sequentially and use the SNI one if it matches without evaluating the hdr(host) ones? Thanks, Regards Thibaut A.