Can a hardware load-balancer route SSL traffic with SNI?
Solution 1:
According to their website, F5 load balancers have support for SNI :
https://devcentral.f5.com/articles/ssl-profiles-part-7-server-name-indication
You can even make iRules based on SNI.
Disclaimer :
- I haven't verified what they claim on their website
- I don't work for F5, and I haven't used any in production for 3+ years.
Solution 2:
can't the router examine the SNI header,
A router usually works only at OSI layer 3, i.e. does not inspect the contents of the packet but only the target IP. For routing based on SNI an understanding of TCP and TLS would be necessary which is both more complex and way more expensive (regarding performance) then just routing based on IP address. And this is also usually not called routing any more then.
Haproxy does this .. hardware load balancers don't.
You are mixing router (layer 3), hardware load balancer (layer 4 and maybe higher) and Haproxy (software load balancer). A hardware load balancer is nothing more than an appliance with some software load balancer on it and maybe also some hardware acceleration for specific actions. There is nothing which inherently make balancing (not routing) based on SNI information impossible on a hardware load balancer and like another answer suggests there are products which support this. But of course it needs to be implemented and it costs performance - they deeper you look at the traffic the slower it gets.