I moved the galaxy backend to the ssl offload fronted.

Added a custom ACL and used this https://stackoverflow.com/questions/23342036/haproxy-restrict-single-backend-by-ip-range

@jimp could you point me in the right direction how to setup so HAProxy on pfSense handels the certs ( not just getting them )

That was it, thank you for your help!

Probably not in this case.