Haproxy SNI vs HTTP Host ACL check performance

Question

I have a HAproxy 1.5 setup which offloads SSL in front of a couple of webservers (this way, they deal only with HTTP)

My SSL certificate is a wildcard and we are balancing to different backends based on the FQDN.

My frontend config look like this :

...
frontend my-frontend
    bind            ip:443 ssl crt /var/etc/haproxy/wildcard_cert.pem  
    mode            http
    log             global
    option          httplog
    option          forwardfor

    use_backend     my-backend      if { ssl_fc_sni my.domain.org }
    use_backend     my-backend2     if { ssl_fc_sni my2.domain.org }

    acl             is-domain   hdr(host) -i my.domain.org
    acl             is-domain2  hdr(host) -i my2.domain.org
    use_backend     my-backend if is-domain
    use_backend     my-backend2 if is-domain2
...

The special option ssl_fc_sni can be used in case of SSL offloading to access to the SNI value (where the other option req_ssl_sni applies in case of SSL pass-through)

http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#ssl_fc_sni

I wanted to know if ssl_fc_sni perform faster than HTTP Header extraction ACLs? Is there a chance for HAProxy to extract the SNI value and use it before reading the HTTP content, extracting the Host: Header and computing my second ACL?

Or the performance are just the same?

Thanks,

Answer 1

I've asked the same question on the haproxy mailing list and I got an answer:

1. ssl_fc_sni performs faster than hdr(host), but it will be imperceptible.
2. It's a bad idea to use the SNI value as a backend selector. The basic hdr(host) is definitely more standard, clean and safe.

Mailing list archive : http://marc.info/?l=haproxy&m=144490809910124&w=2