Hi, I'd like to configure haproxy to listen on a single IP address and port 443. Based on the SNI information of the incoming connections, I'd like to terminate some of the SSL connections on the proxy and send plain HTTP requests to the backend. For other domain names, however, I'd like to operate in TCP mode and simply cut through the connection to the backend, wihtout decrypting the traffic.
The only solution I managed to cook up after some experimentation involves looping back to haproxy itself: frontend fe_https_dispatch bind *:443 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req.ssl_hello_type 1 } use_backend be_lets_encrypt if { req.ssl_sni -m end .acme.invalid } default_backend be_https_loopback backend be_lets_encrypt mode tcp server srv_lets_encrypt 127.0.0.1:63443 backend be_https_loopback mode tcp server srv_https_loopback 127.0.0.1:36427 frontend fe_https_loopback bind *:36427 ssl crt /etc/ssl/certs/ strict-sni mode http use_backend be_foo if { req.ssl_sni -i foo.example.com } use_backend be_bar if { req.ssl_sni -i bar.example.com } [… backend definitions of be_foo and be_bar …] This feels like a hack, and I also wonder whether this has performance implications, since each request is parsed twice by haproxy. Is there any way to achieve this without looping back to haproxy? Cheers, -- Sven @OpenCraft