Failed to get http and ocserv on same port

I took reference from ocserv guide:

to use SNI to split traffic to my ocserv vpn and other services (http).

Here is my configuration file:

frontend ft_ssl_vip
bind *:8443
mode tcp

tcp-request inspect-delay 5s
tcp-request content accept if  { req_ssl_hello_type 1 }

default_backend bk_ssl_default

backend bk_ssl_default
mode tcp

acl vpn-app req_ssl_sni -i vpn.example.com
acl trans-app req_ssl_sni -i  trans.example.com
acl nc-app req_ssl_sni -i nc.example.com

use-server server-vpn  if vpn-app
use-server server-trans if trans-app
use-server server-nc if nc-app
use-server server-vpn if !vpn-app !trans-app !nc-app

option ssl-hello-chk
server server-vpn 127.0.0.1:443 send-proxy-v2
server server-nc  localhost:8888 check
server server-trans localhost:9091 check

However, in haproxy.log, I can see both server-nc and server-trans fails.

Aug 11 17:12:33 localhost haproxy[19960]: Server bk_ssl_default/server-nc is DOWN, reason: Layer6 invalid response, check duration: 0ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.

Aug 11 17:12:34 localhost haproxy[19961]: Server bk_ssl_default/server-trans is DOWN, reason: Layer6 invalid response, check duration: 0ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.

Can above approach work in my case of sharing http & ocserv? if yes, how?

These are health check fails. Either nothing is listening on those ports, or health check fails for some other reasons.

However, I don’t see why you need health checking in the first place. It’s not like you have backup servers, so I’d suggest to remove the check keyword from all of them.