Move TLS allowlist check before DNS resolution

Reject blocked domains before do-resolve to avoid unnecessary DNS
queries for connections that will be denied.

Author: dash14

docker/files/haproxy.cfg.template

@@ -67,20 +67,20 @@ frontend outbound_proxy
     tcp-request content reject if is_tls !has_sni
 
     # ---------------------------------------------------------
-    # 3. TLS DNS resolution & destination override
+    # 3. TLS allowlist check (before DNS to avoid resolving blocked domains)
+    # ---------------------------------------------------------
+    tcp-request content set-var(sess.reason) str(not-allowed) if is_tls has_sni !is_https_allowed
+    tcp-request content reject if is_tls has_sni !is_https_allowed
+
+    # ---------------------------------------------------------
+    # 4. TLS DNS resolution, destination override & accept
     # ---------------------------------------------------------
     tcp-request content do-resolve(sess.actual_ip,my_dns) var(sess.sni) if is_tls has_sni
     tcp-request content set-var(sess.reason) str(dns-failed) if is_tls has_sni ! { var(sess.actual_ip) -m found }
     tcp-request content reject if is_tls has_sni ! { var(sess.actual_ip) -m found }
     tcp-request content set-dst var(sess.actual_ip) if is_tls has_sni
-
-    # ---------------------------------------------------------
-    # 4. TLS accept/reject
-    # ---------------------------------------------------------
-    tcp-request content set-var(sess.decision) str(${HAPROXY_DECISION_LABEL}) if is_tls has_sni is_https_allowed
-    tcp-request content accept if is_tls has_sni is_https_allowed
-    tcp-request content set-var(sess.reason) str(not-allowed) if is_tls has_sni !is_https_allowed
-    tcp-request content reject if is_tls has_sni !is_https_allowed
+    tcp-request content set-var(sess.decision) str(${HAPROXY_DECISION_LABEL}) if is_tls has_sni
+    tcp-request content accept if is_tls has_sni
 
     # ---------------------------------------------------------
     # 5. Non-TLS DNS-routed → HTTP backend