Hi HAProxy community,
I’m building a DBaaS-style setup using HAProxy in TCP mode to route PostgreSQL/MySQL connections over a single public IP and port based on SNI (subdomain per user). My frontend is bound with ssl crt on port 25060, and I’m trying to map SNI values to different backends using a map file. However, I’m unable to reliably retrieve the SNI value (req.ssl_sni or ssl_fc_sni). When I enable SSL on the bind, clients connecting with psql sslmode=require frequently fail with SSL handshake failure (error:0A00010B:SSL routines::wrong version number). If I remove SSL from the bind, connections work, but then SNI is not available at all. I’ve also tried using tcp-request inspect-delay and req_ssl_hello_type, but SNI is still not detected consistently. My question is: what is the correct and recommended way to extract SNI for PostgreSQL connections in TCP mode when using HAProxy, without breaking the TLS handshake? Is SSL termination at HAProxy required, or is there a supported way to do SNI inspection with SSL passthrough for PostgreSQL clients? Any guidance or best practices would be greatly appreciated.
1 post - 1 participant