HAProxy passthrough not working

geocast

Hi everyone

I was settings up HAProxy on my PfSense (SG-8860 newest Version). And I already ran into a certain problem what I showed in this topic

https://forum.pfsense.org/index.php?topic=137483.msg752004#msg752004

It works now sometimes. But some Users say they have to load the page 2-10 times until it works. Towards that I was settings up Direct Access from Mircosoft and it is not connecting. HTTP is working fine only HTTPS is not working reliable. Now I'm wondering if passthrough is not setup correctly. Attached I have my Config file from PfSense (anonymised)

# Automaticaly generated, dont edit manually.
# Generated on: 2017-10-05 17:24
global
	maxconn			100000
	stats socket /tmp/haproxy.socket level admin
	uid			80
	gid			80
	nbproc			1
	chroot			/tmp/haproxy_chroot
	daemon
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:8082 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend Front-End-https
	bind			publicIP:443 name publicIP:443   
	mode			tcp
	log			global
	timeout client		30000
	tcp-request inspect-delay	5s
	acl			fc	req.ssl_sni -m sub -i fc.contoso.com
	acl			franch	req.ssl_sni -m sub -i contoso.dyndns.org
	acl			moe	req.ssl_sni -m sub -i moe.contoso.com
	tcp-request content accept if { req.ssl_hello_type 1 }

	use_backend fc.contoso.com_https_ipvANY  if  fc 
	use_backend contoso.dyndns.org_https_ipvANY  if  franch
	use_backend moe.contoso.com_https_ipvANY  if  moe.da 

frontend Front-End-http
	bind			publicIP:80 name publicIP:80   
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			fc.contoso.com	hdr_sub(host) -i fc.contoso.com
	acl			contoso.dyndns.org	hdr_sub(host) -i contoso.dyndns.org
	acl			testa.dyndns.org	hdr_sub(host) -i testa.dyndns.org
	acl			moe.contoso.com	hdr_sub(host) -i moe.contoso.com
	http-request redirect scheme https  if  fc.contoso.com 
	http-request redirect scheme https code 301  if  contoso.dyndns.org
	use_backend testa.dyndns.org_http_ipvANY  if  testa.dyndns.org
	use_backend moe.contoso.com_http_ipvANY  if  moe.contoso.com

backend fc.contoso.com_https_ipvANY
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			http-fc.contoso.com 192.168.13.37:80  
	server			https-contoso.dyndns.org 192.168.13.37:443 check-ssl  verify none 

backend contoso.dyndns.org_https_ipvANY
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			http-contoso.dyndns.org 192.168.13.37:443 check-ssl  verify none 
	server			https-contoso.dyndns.org 192.168.13.37:80  

backend moe.contoso.com_https_ipvANY
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			https-moe.contoso.com 192.168.13.35:80  
	server			http-moe.contoso.com 192.168.13.35:443 check-ssl  verify none 

backend testa.dyndns.org_http_ipvANY
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			testa.dyndns.org 192.168.13.10:7588 check inter 1000  

backend moe.contoso.com_http_ipvANY
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			https-moe.contoso.com 192.168.13.35:80  
	server			http-moe.contoso.com 192.168.13.35:443 ssl  verify none

Any advice what could be wrong?

Thanks!