SNI based switching is the way to go, when you have only 1 public IP address. If you have multiple IP addresses, then just bind to different IP addresses in your frontends…
For the SNI solution, you have to match either the SNI value of the SSL terminating hostnames, or the the value of the hostname(s) for the passthrough.
You can find a better example here:
It’s about different SSL parameters (client auth), in your case one of the second tier frontends would be in tcp mode …