HAProxy ======= .. contents:: .. index:: ! haproxy Make sure to use the docs corresponding to the version you are using. 1.5: https://cbonte.github.io/haproxy-dconv/1.5/configuration.html Pass SSL thru ------------- Use proxy "mode tcp". E.g:: listen sectionname bind :443 mode tcp server server1 10.0.0.1:443 default_backend sslserver backend sslserver mode tcp server servername 1.2.3.4:443 Route based on SNI ------------------ This works even if haproxy is not terminating the SSL connection:: acl site_b req_ssl_sni -i site_b.com use_backend site_b_backend if site_b backend site_b_backend mode tcp server b1 10.0.0.1:443 server b2 10.0.0.2:443 Explanation: we set the condition "site_b" true if the SSL SNI in the request (req_ssl_sni) is case-insensitively equal to (-i) the string "site_b.com". We use the backend "site_b_backend" if the condition "site_b" is true. Backend "site_b_backend" means to forward the request without terminating the SSL connection ("mode tcp") to either the server at 10.0.0.1 port 443, or 10.0.0.2 port 443. Route based on Host request header ---------------------------------- Use an ACL to check the header and then pick a backend:: acl site_a hdr(host) -i site_a.com use_backend site_a_backend if site_a backend site_a_backend mode http server a1 10.0.0.1:80 server a2 10.0.0.2:80