A few suggestions:
- you only need to match SNI in one frontend (the one listening on port 443)
- start using normal IP sockets for the backend → frontend re-circulation, thats less complex
- don’t start adding features when your basic configuration doesn’t work. Don’t use proxy-protocol on the first try
- I don’t see any SSL terminating configuration in there, so it’s unclear how that would work
Here’s a (untested) configuration that would work, based on your initial description (a, b, c.smalldragoon.com should be SSL passthrough, d.smalldragoon.com should be SSL terminated):
frontend Main-Frontend-SNI-redirect-443
bind [MY PUBLIC IP]:443 name [MY PUBLIC IP]:443
mode tcp
log global
timeout client 30000
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
acl passthroughdom req.ssl_sni -i a.smalldragoon.com
acl passthroughdom req.ssl_sni -i b.smalldragoon.com
acl passthroughdom req.ssl_sni -i c.smalldragoon.com
use_backend passthrough if passthroughdom
acl ssltermdom req.ssl_sni -i d.smalldragoon.com
use_backend sslterm if ssltermdom
# or use a default_backend directive
frontend frontsslterm
mode http
bind 127.0.0.1:445 ssl crt /var/ssl/private/
default_backend httpbackend
backend httpbackend
mode http
server server1 192.168.1.2:80
backend passthrough
mode tcp
server server1 192.168.1.1:443
backend sslterm
mode tcp
server local 127.0.0.1:445