Hi all,
I have a HAproxy 1.5 setup which offloads SSL in front of multiple webservers.
My SSL certificate is a wildcard and we are balancing to different backends
based on the FQDN.
My frontend config look like this :
...
frontend my-frontend
bind ip:443 ssl crt /var/etc/haproxy/wildcard_domain_org.pem
mode http
log global
option httplog
option forwardfor
use_backend my-backend if { ssl_fc_sni my.domain.org }
use_backend my-backend2 if { ssl_fc_sni my2.domain.org }
# Fallback for non-SNI clients
acl is-domain hdr(host) -i my.domain.org
acl is-domain2 hdr(host) -i my2.domain.org
use_backend my-backend if is-domain
use_backend my-backend2 if is-domain2
…
I wanted to know if :
- ssl_fc_sni perform faster than HTTP Header extraction?
- HAProxy will check my ACLs sequentially and use the SNI one if it matches
without evaluating the hdr(host) ones?
Thanks,
Regards
Thibaut A.
