SSL passthrough conditions not working, everything sent to default_backend

Hello, I’m brand new to HAProxy. I’m running it on ProxMox attempting to have it be the ‘traffic control’ for the other services on my Proxmox server. My SSL passthrough is not working at all. Everything SSL is sent to default_backend. non-SSL traffic seems fine. I’d rather let the backend servers handle the certs instead of having HAProxy terminate SSL, as some of the backend services insist on communicating via https only. I’ll post my config here.

        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        #  See:
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

### http ###

frontend http
        mode http
        option httplog
        bind :80
        option forwardfor
        use_backend backend_one_http if { hdr(host) -i }
        use_backend backend_two_http if { hdr(host) -i }
        use_backend backend_two_http if { hdr(host) -i }
		default_backend backend_two_http

backend backend_one_http
        mode http
        option forwardfor
        server backend_one check

backend backend_two_http
        mode http
        option forwardfor
        server backend_two check

### https ###

frontend https
        mode tcp
        option tcplog
        bind :443
        use_backend backend_one_https if { req.ssl_sni -i }
        use_backend backend_two_https if { req.ssl_sni -i }
        use_backend backend_two_https if { req.ssl_sni -i }
		default_backend backend_two_https

backend backend_one_https
        mode tcp
        option ssl-hello-chk
        server backend_one check

backend backend_two_https
        mode tcp
        option ssl-hello-chk
        server backend_two check

All SSL traffic is being sent to the default_backend instead of where it should be going via the use_backend conditions. Is there something obvious I’m missing here?

Here is my haproxy -vv output:

root@proxy:~# haproxy -vv
HAProxy version 2.4.7-1ppa1~focal 2021/10/07 -
Status: long-term supported branch - will stop receiving fixes around Q2 2026.
Known bugs:
Running on: Linux 5.11.22-5-pve #1 SMP PVE 5.11.22-10 (Tue, 28 Sep 2021 08:15:41 +0200) x86_64
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-s1iGIG/haproxy-2.4.7=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
  DEBUG   = 


Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 1.1.1f  31 Mar 2020
Running on OpenSSL version : OpenSSL 1.1.1f  31 Mar 2020
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with libslz for stateless compression.
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.34 2019-11-21
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 9.3.0

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTTP       side=FE|BE     mux=H2       flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG
            fcgi : mode=HTTP       side=BE        mux=FCGI     flags=HTX|HOL_RISK|NO_UPG
       <default> : mode=HTTP       side=FE|BE     mux=H1       flags=HTX
              h1 : mode=HTTP       side=FE|BE     mux=H1       flags=HTX|NO_UPG
       <default> : mode=TCP        side=FE|BE     mux=PASS     flags=
            none : mode=TCP        side=FE|BE     mux=PASS     flags=NO_UPG

Available services : prometheus-exporter
Available filters :
        [SPOE] spoe
        [CACHE] cache
        [FCGI] fcgi-app
        [COMP] compression
        [TRACE] trace

Before matching SNI values in the buffer with req.ssl_sni, you need to wait for the buffer to actually be filled with that data:

# Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend backend_one_https if { req.ssl_sni -i }

Thank you!