Theoretically, will this work: clients connect through a local haproxy in reverse proxy mode with self-signed root CA, then the local haproxy forward this proxy to a remote haproxy server over https, which is signed by trusted CA.
I want to do this because I need fine-grained control over clients’ request urls. SNI alone isn’t enough. And I don’t want to use self-signed certificates over the internet. I know there was a tool called sslstrip, but some clients just don’t like clear text even though they support proxy.