@BelluX
The Shared-Frontends message is because you have two different frontends configured that are listening on the same IP address and port. To resolve this error, you must choose the option Shared Frontend on the second frontend. However, if you do this, HAProxy will give an error that all shared frontends must be of the same type (you cannot mix http/https (offloading) with ssl/https (TCP mode).
This is how I set up HAProxy to support mixed offloading and passthrough:
Create a Backend called tcp_to_https which goes to server 127.0.0.1:4443 and Encrypt(SSL) is set to No.
Create a Frontend called SSL_Termination that listens on port 4443. Enable SSL Offloading. Add all your ACLs and Actions like normal.
Create a Frontend called SSL_Passthrough that listens on port 443 but do not enable SSL Offloading. Set it to ssl / https (TCP mode).
Add ACLs using Server Name Indication TLS extension ends with for the hostnames that you want to pass through directly to the backends. Set the Default Backend to tcp_to_https.
The way this works is HAProxy receives the request, it checks if the SNI matches the ACLs, and passes it through directly to the backends without performing SSL offloading. Otherwise, it passes the request to the default backend tcp_to_https, which connects to the frontend SSL_Termination, where the connections are processed a second time, this time performing SSL offloading.