Allow only specific path url with 443/cert

hello
i was search already whole day how to work this but have not found any solution.
have enviroment where haproxy have url that using certificte on ngnix on backend server, so connection is go : internet>haproxyurl:443>ngnix&cert, what i need is to setup with mode tcp as http/80 is redirected to https the suffixes paths allow/deny
so lets say my front looks like that:
frontend tcp-in-443
bind 0.0.0.0:443 interface eth0
mode tcp
#option tcplog
maxconn 500
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
default_backend no_ssl

    use_backend xxx.xxx.com if { req_ssl_sni -i xxx.xxx.com }

backend xxx.xxx.com
mode tcp
option tcplog
server default 123.123.123.123:443 check

what i need is that if someone as sending req to open xxx.xxx.com he can he gets 404 or redirection, the ONLY path that can be accessable is xxx.xxx.com/test/test2/* and not xxx.xxx.com or some /blah.
how i can achive that ? in front ACLs + use_backed ? i was trying that but was not working or mby i did wrong config…

edit - also this web should be ALL visible from internal LAN that is going to ngnix direct so the idea is to block it only from internet

You cannot review/reject/redirect anything on port 443, unless you are actually decrypting it (certificate on haproxy), because you the payload is encrypted otherwise.

On port 80, you can do what you want, use ACL rules to redirect as you please.

cant do something like this but with /paths ? so the first request that someone is doing from outside will allow him to get to url xxx.xxx.com/path, and if he will put xxx.xxx.com haproxy will reject it.

acl is_host_com hdr(Host) -i example.com
tcp-request inspect-delay 30s
tcp-request content accept if is_host_com
tcp-request content reject

so lets say that i can put cert wildcard on haproxy, then its possible to decrypt and allow/reject flow to particular path?

No, because it is encrypted.

Yes.

something like that ?

frontend xxx.xxx.com-443
bind 127.0.0.1:443 ssl crt /etc/ssl/certs/wildcard.pem
mode tcp
option tcplog
maxconn 500
tcp-request inspect-delay 5s
default_backend xxx.xxx.com

backend xxx.xxx.com
mode http
cookie SERVERID insert indirect nocache
option forwardfor
server default 10.123.123.123:443 check

and with some

acl path_ok path_beg /test
http-request deny unless path_ok

You also need mode http in the frontend and you need to add “ssl verify none” in the backend server, with enables SSL encryption on the backend and disables certificate verification (unsecure, configure it properly with ssl certificate validation in production).

About the only differentiator you have at the SSL layer is the SNI (server name identification) which is an extension where the client sends that in their request. The information about what path they want doesn’t exist until after the SSL handshake takes place. (SSL first then HTTP)

So either the data needs to be decrypted by performing the ssl handshake on the haproxy device or you only act on the server name alone. I’d suggest what lukastribus says and that’s to move your cert and key over to the HAPRoxy device. Let it handle the ssl handshake and then allow or reject as needed from there.

You can even do some interesting mapping of hostnames and such to different backends like one user did over here: How does the SNI Routing works in HAProxy • ME2Digital