switch acls based on SNI

lb/haproxy.cfg

@@ -57,13 +57,24 @@ frontend https
     http-response set-header Access-Control-Max-Age 3628800
     http-response set-header Access-Control-Allow-Methods "GET"
 
-    # ACL
-    acl is_allowed src -f /usr/local/etc/haproxy/dballowed.acl
-    acl is_forestnet hdr(host)-i forest.deflax.net
-    acl is_forestdb hdr(host) -i db.forest.deflax.net
-    acl is_osmap hdr(host) -i map.deflax.net
+    # SNI ACLs
+    acl is_forestnet ssl_fc_sni -i forest.deflax.net
+    acl is_forestdb ssl_fc_sni -i db.forest.deflax.net
+    acl is_osmap ssl_fc_sni -i map.deflax.net
     
+    # IP ACls
+    acl is_allowed src -f /usr/local/etc/haproxy/dballowed.acl
+
     tcp-request connection reject if is_forestdb !is_allowed
+    
+    tcp-request inspect-delay 2s
+    tcp-request content accept if { req_ssl_hello_type 1 }
+
+    http-request set-header X-Forwarded-Protocol https
+    http-request set-header X-Forwarded-Proto https
+    http-request set-header X-Forwarded-Ssl on
+    http-request set-header X-Url-Scheme https
+    http-request set-header Host %[ssl_fc_sni]
 
     use_backend forestnet if is_forestnet
     use_backend forestdb if is_forestdb