ACLs with TLS and URL paths

Hello Everyone,

I have an application that requires client certificate authentication. These applications run on different ports and are accessed by path.,

I would like to ‘hide’ those ports or redirect to the backend for each of those separate application.

Do I terminate the TLS at the HAProxy, use an ACL to determine the correct backend server - than pass the client certificate as a header?

Is that the correct approach?

Further follow-up to my question. Attached is my config.
So I do certificate authentication to HAProxy and terminate so that I can examine the URL Path.
If it is just a host.domain than pass that through a a Web Site.

If the host.domain includes a path than redirect to that specific application port.

frontend web-in
bind *:443 ssl verify required crt /etc/haproxy/cert/cert.pem ca-file /etc/haproxy/cert/cacert.pem
mode http

http-request set-header SSL_CLIENT_CERT &[ssl_c_der.base64]
http-request set-header X-Real-IP %[src]

acl user_app1 path -i -m beg /Application/

use_backend web if { req.hdr(host) -i }
use_backend app1 if user_app1

default_backend web

backend web
server web1 ssl verify none

backend app1
server app_srv1 ssl verify none