Setup multiple backends in HaProxy with ACL, one SSL certificate, and SNI

In a previous article, we saw how to use ACL by IP Address in HaProxy TCP Mode.

Today we are going to see how serve different subdomains with haproxy by using just 1 SSL certificate (usually a wildcard certificate) and choose the right backend by using SNI.

What is SNI

SNI is an extension of TLS that allows the client to specify the hostname where it wants to connect to before starting the TLS handshake.

This allows one to serve different SSL domains with the same IP address.

SNI in HaProxy

HaProxy supports SNI by using the ssl_fc_sni directive that can be used with ACLs in the following way:

In this example, we're choosing different backends based on the domain captured with the directive ssl_fc_sni in different ACLs.

Read Other Articles

If you liked this or other articles (and feel generous), you can make a donation:

Validate client SSL certificates in your application with HaProxy
Using ACL by IP Address in HaProxy TCP Mode
Virtual webcam as phone camera in Android Emulator in Linux
Solution for "ERROR: 32-bit Linux Android emulator binaries are DEPRECATED"
Running the Android Emulator as System Services with Daemontools
Convert MAC EOL to Unix
How to compile NGINX with external OpenSSL libraries and custom linker options
Using CloudWatch to Monitor your AWS Lambda and send Alerts on Errors
Using AWS Lambda to check if your website is online
Expirable user sessions with MySQL events
How to create a static SOX executable to invoke it in AWS Lambda
WebRTC with Asterisk and Amazon AWS
Automatized daily mysql backups to S3 buckets
Starting WebRTC2SIP as a service without screen or console
Compiling and Installing WebRTC2SIP
Installing DaemonTools in Amazon Linux (or CentOS like OS)
Generating A Cross Compiler For Freebsd In Linux
How to setup nginx to work with FastCGI and PHP 5.2 and PHP 5.3
Configuring postfix to forward all email to a smtp gateway
Different relays in postfix based on regular expressions

Articles