In haproxy settings there is frontend which bind on 443.
The problem is inside this frontend I need to use acl rules in order to distinguish traffic based on server_name.
However, if I am understand correctly I can't use acl together with 443.
If there any way to send ssl traffic to different backends regarding their hostname?
Thanks!
For using haproxy with ssl (443) you need to use stunnel because haproxy does not support ssl it self.
In the development branch, we have support for SNI (server name indication) which allows a TCP-mode haproxy to know what server an SSL client is targetting if the client uses the extension too (which all recent clients do). Otherwise as indicated by B14D3, you have to decipher the traffic as it's the purpose of SSL to prevent anyone from seeing what's exchanged in it.
By now SNI has been properly implemented in haproxy. You can use use-server to distinguish between different hostnames:
Quote from the documentation:
The "use-server" statement works both in HTTP and TCP mode. This makes it suitable for use with content-based inspection. For instance, a server could be selected in a farm according to the TLS SNI field. And if these servers have their weight set to zero, they will not be used for other traffic.
Example from the documentation:
# intercept incoming TLS requests based on the SNI field use-server www if { req_ssl_sni -i www.example.com } server www 192.168.0.1:443 weight 0 use-server mail if { req_ssl_sni -i mail.example.com } server mail 192.168.0.1:587 weight 0 use-server imap if { req_ssl_sni -i imap.example.com } server imap 192.168.0.1:993 weight 0 # all the rest is forwarded to this server server default 192.168.0.2:443 check 