I am using SSL termination and SNI to two backend IIS servers. Haproxy version 1.6.9. The setup works for port 80 to the frontend and then port 80 to the backend. It used to work for port 443 to the fromtend and port 443 to the backend but now it throws 503 errors. If I do port 443 to the fromtend and port 80 to the backend it works but I need the backen traffic encrypted too. If I trace the packets I see a connection to the backend servers but then nothing happens. The sites have been verified to work on the backend ip over port 443 from a browser on a different system. I do not see why 443 stopped working for the proxy to backend connection.
Config for SNI is basically:
frontend shared-ip-frontend
bind 192.168.254.111:80
maxconn 40000
acl host_sample.com hdr_end(host) -i sample.com
use_backend sample.com if host_sample.com
# Default backend for port 80
default_backend shared-ip-default-backend
frontend shared-ip-frontend-SSL
bind 192.168.254.111:443 ssl crt /etc/haproxy/certs-shared-ip
maxconn 40000
reqadd X-Forwarded-Proto:\ https
acl host_sample.com hdr_end(host) -i sample.com
use_backend sample.com-SSL if host_sample.com
# no default SSL backend
backend sample.com
option httpchk OPTIONS / HTTP/1.0\r\nHost:\ sample.com
stick-table type ip size 10k expire 20m
stick on src
server 192.168.7.111 192.168.7.111:80 check
server 192.168.6.111 192.168.6.111:80 check
backend sample.com-SSL
stick on src table sample.com
redirect scheme https if !{ ssl_fc }
server 192.168.7.111 192.168.7.111 ssl check port 80
server 192.168.6.111 192.168.6.111 ssl check port 80