net/haproxy: add support for SSL SNI expressions, refs #3756

2026-02-03 20:40:37 -05:00 · 2026-01-28 14:50:41 +01:00 · 2026-01-28 14:50:41 +01:00 · a4f2a6ba5c
commit a4f2a6ba5c
parent c380136258
4 changed files with 16 additions and 2 deletions
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@ -25,6 +25,7 @@ Added:
 * add "enabled" field to rules
 * add support for all stick-table data types
 * add support for GPC/GPT/SC to conditions (#1123, #5109)
+* add support for SSL SNI expression to servers (#3756)

 Changed:
 * upgrade to HAProxy 3.2 release series (#5147)
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
@ -117,9 +117,15 @@
    </field>
    <field>
        <id>server.sslSNI</id>
-        <label>SSL SNI</label>
+        <label>SSL SNI Name</label>
        <type>text</type>
-        <help><![CDATA[The host name sent in the SNI TLS extension to the server.]]></help>
+        <help><![CDATA[The host name sent in the SNI TLS extension to the server. When present it will be preferred over the SNI expression.]]></help>
+    </field>
+    <field>
+        <id>server.sslSNIExpr</id>
+        <label>SSL SNI Expression</label>
+        <type>text</type>
+        <help><![CDATA[A HAProxy <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html##sni">SNI expression</a> to specify the data that will be sent in the SNI TLS extension to the server, e.g. req.hdr(host). When a SNI name is present it will be used instead and this option will be ignored.]]></help>
    </field>
    <field>
        <id>server.sslVerify</id>
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@ -1553,6 +1553,11 @@
                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                    <Required>N</Required>
                </sslSNI>
+                <sslSNIExpr type="TextField">
+                    <Mask>/^.{1,255}$/u</Mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </sslSNIExpr>
                <sslVerify type="BooleanField">
                    <Default>1</Default>
                    <Required>Y</Required>
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@ -2174,6 +2174,8 @@ backend {{backend.name}}
 {#                 # SNI #}
 {%                 if server_data.sslSNI|default('') != '' %}
 {%                   do server_options.append('sni str(' ~ server_data.sslSNI ~ ')') %}
+{%                 elif server_data.sslSNIExpr|default('') != '' %}
+{%                   do server_options.append('sni ~ server_data.sslSNIExpr) %}
 {%                 endif %}
 {#                 # HTTP/2 #}
 {%                 if backend.http2Enabled|default("") == '1' and backend.ba_advertised_protocols|default("") != "" %}