You cannot configure 2 frontends on port 443, without specifying different IP addresses.
For example, if you have 2 public IP address you CAN do this:
frontend a
bind 192.168.1.5:443 ssl crt ...
frontend b
bind 192.168.1.6:443
However you cannot bind to port 443, if any of those bind statements on port 443 doesn’t also specify a dedicated IP address, otherwise your kernel will randomly load-balance between the two.
You can add noreuseport to the global configuration temporarily, to check if haproxy is still able to start. That’s a good indication of whether the port configuration works fine, even without SO_REUSEPORT on the sockets. In this case, your kernel would reject binding to the same port twice, because of this missconfiguration.
So, how could you solve this with just one public IP? Move your SSL terminating frontend somewhere else and use a single frontend on port 443 which decides where the traffic needs to go.
Something like:
frontend 443
mode tcp
bind :443
acl vendor2_prod src -f /etc/haproxy/ipranges/vendor2_prod.subnets
acl vendor2_dev src -f /etc/haproxy/ipranges/vendor2_dev.subnets
use_backend vendor2_tcp if vendor2_prod || vendor2_dev
default_backend localhttps
backend localhttps
mode tcp
server localhost 127.0.0.1:1443 send-proxy
frontend main_https
bind 127.0.0.1:1443 ssl crt /etc/haproxy/certs/our_cert.pem accept-proxy
mode http
option forwardfor except 127.0.0.0/8
option httplog
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /haproxy?stats
default_backend vendor1_ssl
acl h_1 path_beg /h/1/
acl server01_down nbsrv(server01_ssl) eq 0
use_backend server01_ssl if h_1 !server01_down
The import point is that you only have a single frontend binding to port 443.