Setup multiple backends in HaProxy with ACL, one SSL certificate, and SNI

In a previous article, we saw how to use ACL by IP Address in HaProxy TCP Mode.

Today we are going to see how serve different subdomains with haproxy by using just 1 SSL certificate (usually a wildcard certificate) and choose the right backend by using SNI.

What is SNI

SNI is an extension of TLS that allows the client to specify the hostname where it wants to connect to before starting the TLS handshake.

This allows one to serve different SSL domains with the same IP address.

SNI in HaProxy

HaProxy supports SNI by using the ssl_fc_sni directive that can be used with ACLs in the following way:

In this example, we're choosing different backends based on the domain captured with the directive ssl_fc_sni in different ACLs.