> IMHO, it's confusing having clear and SSL backends defined I do see your point, but I would rather not introduce another configuration option like use-server (a new user probably doesn't know about ssl_fc and conditional options either).
What about removing the clear-text options and make a dedicated clear-text frontend which uses the https-backend. That way we give the users a immediate understanding of the fact that ssl processing is fully decoupled from the request processing itself; but we also avoid mixed front and backends, which is whats causing confusion here. It would then look like this I guess: frontend my-http-frontend bind :80 default_backend my-https-backend frontend my-https-frontend # primary cert is /etc/cert/server.pem # /etc/cert/certdir/ contains additional certificates for SNI clients bind :443 ssl crt /etc/cert/server.pem crt /etc/cert/certdir/ default_backend my-https-backend backend my-https-backend # a https backend server s4 10.0.0.3:443 ssl