Can’t get logs working, but so far it appears this configuration is working. Here is my /etc/haproxy/haproxy.cfg.

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    maxconn 4096
    user haproxy
    group haproxy
    daemon


defaults
    log     global
    mode    tcp
    option  tcplog
    option  dontlognull
    timeout connect 15s
    timeout client  15s
    timeout server  15s
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http


frontend localhost80
    bind *:80
    mode http
    redirect scheme https code 301 if !{ ssl_fc }

frontend localhost443
    bind *:443
    option tcplog
    mode tcp

    acl tls req.ssl_hello_type 1

    tcp-request inspect-delay 5s
    tcp-request content accept if tls

    acl is_wordpress req.ssl_sni -i mydomain1.com   #10.0.0.165
    acl is_nextcloud req.ssl_sni -i mydomain2.com                #10.0.0.160

    use_backend nextcloud_cluster if is_nextcloud
    use_backend wordpress_cluster if is_wordpress


backend wordpress_cluster
    mode tcp

    option ssl-hello-chk

    server is_wordpress 10.0.0.165:443 check


backend nextcloud_cluster
    mode tcp

    option ssl-hello-chk

    server is_nextcloud 10.0.0.160:443 check