Can I use wildcard SNI matching with HAProxy?

Question

I'm looking around trying to find an example of HAProxy matching SNI wildcards, and my searching is bringing up similarly titled, but unrelated questions about certificates.

Specifically I need to route nonce domains for dvsni with acme / letsencyrpt.

frontend foo_ft_https
    mode tcp
    option tcplog
    bind 0.0.0.0:443

    acl foo_app_letsencrypt req.ssl_sni -i *.acme.invalid
    use_backend foo_bk_letsencrypt if foo_app_letsencrypt

    default_backend foo_bk_default

backend foo_bk_letsencrypt
    mode tcp
    option tcplog

    server foo_srv_letsencrypt 127.0.0.1:3443

backend foo_bk_default
    mode tcp
    option tcplog

    server foo_srv_default 127.0.0.1:8443

Note: all arbitrary names are prefixed with 'foo_' so that the reader can easily distinguish them from keywords, directives and such.

Answer 1

Change

acl foo_app_letsencrypt req.ssl_sni -i *.acme.invalid

to

acl foo_app_letsencrypt req.ssl_sni -m end .acme.invalid

It's not mentioned in the official documentation https://cbonte.github.io/haproxy-dconv/configuration-1.5.html explicitly, but I was able to find other resources that lead me to the correct result:

• https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.1.3
• http://comments.gmane.org/gmane.comp.web.haproxy/14602

Note that if you were to try the first example, it would "work", but the "" would be interpreted as a literal "", not a wildcard.

Answer 2

Even this is very old question, I would like to share this solution, because this is still among first google's results:

The solution given by CoolAJ86 doesn't work for me (it probably works for older version of HAProxy). You can instead use ssl_fc_sni_end instead of ssl_fc_sni like this:

use_backend apache if { ssl_fc_sni_end domain.com }

It will do the work!