haproxy ssl_fc_sni not matching correctly

Question

I am a bit lost with my HAproxy configuration. Currently running 1.6.4. We have a system in place that determines the backends using the SNI valused provided by the client.

This has been working well in the past, however today I've added a use_backend rule to the following frontend and it does not work as intended:

frontend fe_ssl
        description "SSL Endpoint"
        bind 1.2.3.4:443 ssl crt /etc/haproxy/certs/

        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }

        use_backend bk_t1 { ssl_fc_sni -i subdomain.domain.com }
        use_backend bk_t2 { ssl_fc_sni -i subdomain-test.domain.com }

Previously only backend bk_t1 was presend and it did work like intended: If accessing subdomain.domain.com the traffic was forwarded to bk_t1, if using any other name pointing to the same IP it resulted in a HTTP 503 as there was no matching backend.

Now after adding bk_t2 it does not ever match requests to the backend that is mentioned second in the frontend configuration. Meaning:

• If bk_t1 is defined first all requests will be routed to bk_t1, no matter if accessing subdomain.domain.com or subdomain-test.domain.com

• If bk_t2 is defined first all requests will be routed to bk_t2, no matter if accessing subdomain.domain.com or subdomain-test.domain.com

I am thinking that it could have something to do with the fact that the two subdomains are partly identical but I was not able to find any information that "-" needs to be escaped and even switching from -i to -m str or putting the hostnames in quotes does not change anything

Answer 1

After troubleshooting for two hours and writing this entry I realized that my mistake was very obvious. The if was missing for the statements to match.

use_backend bk_t1 **if** { ssl_fc_sni -i subdomain.domain.com }
use_backend bk_t2 **if** { ssl_fc_sni -i subdomain-test.domain.com }