No, you cannot bind to “0.0.0.0:443” twice, that will lead either to a bind error on startup or to a nasty kernel-based load-balancing between the two sockets (when REUSEPORT is supported).
You can only have one 0.0.0.0:443 socket, and use TCP mode to SNI route it to different destination; use a dedicatated backend to respin this traffic to the correct (TLS terminating) frontend. Abstract namespace sockets (abns) lend itself to this purpose very well.
So this would look something like this:
backend respin-tls-term
option http-server-close
server loopback-for-tls abns@haproxy-tls-term send-proxy-v2
!
frontend http-in
mode http
bind 0.0.0.0:80
bind abns@haproxy-tls-term accept-proxy ssl crt /etc/pki/tls/private/cert.pem
option httplog
option dontlognull
option contstats
acl host_host2 hdr(host) -i host2.domain.com
use_backend host2_cluster if host_host2
!
frontend https-in
mode tcp
option tcplog
bind 0.0.0.0:443
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
acl host_host1 req.ssl_sni -i host1.domain.com
use_backend host1_cluster if host_host1
use_backend respin-tls-term if { req.ssl_sni -i host2.domain.com }