diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index a7d97e8b0..691f992e2 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -25,6 +25,7 @@ Added:
 * add "enabled" field to rules
 * add support for all stick-table data types
 * add support for GPC/GPT/SC to conditions (#1123, #5109)
+* add support for SSL SNI expression to servers (#3756)
 
 Changed:
 * upgrade to HAProxy 3.2 release series (#5147)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
index 99db8ffab..4dea54e11 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
@@ -117,9 +117,15 @@
     </field>
     <field>
         <id>server.sslSNI</id>
-        <label>SSL SNI</label>
+        <label>SSL SNI Name</label>
         <type>text</type>
-        <help><![CDATA[The host name sent in the SNI TLS extension to the server.]]></help>
+        <help><![CDATA[The host name sent in the SNI TLS extension to the server. When present it will be preferred over the SNI expression.]]></help>
+    </field>
+    <field>
+        <id>server.sslSNIExpr</id>
+        <label>SSL SNI Expression</label>
+        <type>text</type>
+        <help><![CDATA[A HAProxy <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html##sni">SNI expression</a> to specify the data that will be sent in the SNI TLS extension to the server, e.g. req.hdr(host). When a SNI name is present it will be used instead and this option will be ignored.]]></help>
     </field>
     <field>
         <id>server.sslVerify</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 9ed90cbb1..8c69d381f 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1553,6 +1553,11 @@
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </sslSNI>
+                <sslSNIExpr type="TextField">
+                    <Mask>/^.{1,255}$/u</Mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </sslSNIExpr>
                 <sslVerify type="BooleanField">
                     <Default>1</Default>
                     <Required>Y</Required>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 8837f0004..508484eb3 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -2174,6 +2174,8 @@ backend {{backend.name}}
 {#                 # SNI #}
 {%                 if server_data.sslSNI|default('') != '' %}
 {%                   do server_options.append('sni str(' ~ server_data.sslSNI ~ ')') %}
+{%                 elif server_data.sslSNIExpr|default('') != '' %}
+{%                   do server_options.append('sni ~ server_data.sslSNIExpr) %}
 {%                 endif %}
 {#                 # HTTP/2 #}
 {%                 if backend.http2Enabled|default("") == '1' and backend.ba_advertised_protocols|default("") != "" %}