HAProxy

Make sure to use the docs corresponding to the version you are using.

1.5: https://cbonte.github.io/haproxy-dconv/1.5/configuration.html

Pass SSL thru

Use proxy “mode tcp”. E.g:

listen sectionname
    bind :443
    mode tcp
    server server1 10.0.0.1:443
    default_backend sslserver
backend sslserver
    mode tcp
    server servername 1.2.3.4:443

Route based on SNI

This works even if haproxy is not terminating the SSL connection:

acl site_b req_ssl_sni -i site_b.com
use_backend site_b_backend if site_b
backend site_b_backend
  mode tcp
  server b1 10.0.0.1:443
  server b2 10.0.0.2:443

Explanation: we set the condition “site_b” true if the SSL SNI in the request (req_ssl_sni) is case-insensitively equal to (-i) the string “site_b.com”. We use the backend “site_b_backend” if the condition “site_b” is true. Backend “site_b_backend” means to forward the request without terminating the SSL connection (“mode tcp”) to either the server at 10.0.0.1 port 443, or 10.0.0.2 port 443.

Route based on Host request header

Use an ACL to check the header and then pick a backend:

acl site_a hdr(host) -i site_a.com
use_backend site_a_backend if site_a
backend site_a_backend
  mode http
  server a1 10.0.0.1:80
  server a2 10.0.0.2:80