Created the three front ends and associated backend but to make it work I had to forward (nat) port 80 and 443 to port 8080 and 4443. So instead of using the wan address I use the localhost port.  Both the HTTP and SNI frontend work perfectly.  The issue is when I get to the Offloading.  I have created 2 let's encrypt certificates for the two domains I need to offload.  Both certificates host several host names.  The backend for the offloading points to a http server (not https).  From my reading I do not think that I have to point it to a https server if I have the offloading properly configured.

Below is part of my configuration, if somebody can tell me what i'm doing wrong it would be appreciated.

frontend SecureServers-SNI-2
bind 127.0.0.1:4443 name 127.0.0.1:4443 
mode tcp
log global
option socket-stats
option log-separate-errors
option tcplog
timeout client 30000
tcp-request inspect-delay 5s
acl ftpweb_acl req.ssl_sni -i ftpweb34.accra.ca
acl dragonNAS_acl req.ssl_sni -i dragon.accra.ca
acl secure2345_acl req.ssl_sni -i secure2345.accra.ca
tcp-request content accept if { req.ssl_hello_type 1 }

use_backend SecureFTPWEB34_https_ipvANY  if  ftpweb_acl
use_backend SecureNAS4_https_ipvANY  if  dragonNAS_acl
use_backend Secure16_https_ipvANY  if  secure2345_acl
default_backend frontend3-offloading_https_ipvANY

frontend Secure-offloading-3
bind 127.0.0.1:1443 name 127.0.0.1:1443 ssl  crt /var/etc/haproxy/Secure-offloading-3.pem crt /var/etc/haproxy/Secure-offloading-3 ca-file /var/etc/haproxy/clientca_Secure-offloading-3.pem verify required 
bind /tmp/haproxy_chroot/Secure-offloading-3.socket name unixsocket uid 80 accept-proxy ssl  crt /var/etc/haproxy/Secure-offloading-3.pem crt /var/etc/haproxy/Secure-offloading-3 ca-file /var/etc/haproxy/clientca_Secure-offloading-3.pem verify required
mode http
log global
option http-keep-alive
timeout client 30000
acl filoptoreg hdr(host) -i reg.filopto.com
acl remotehelp hdr(host) -i remotehelp.accra.ca
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^famille.accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^ftpweb.accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^remotehelp.accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^secure.accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^filopto.com(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^reg.filopto.com(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^www.filopto.com(:([0-9]){1,5})?$
use_backend WebServer214_http_ipvANY  if  filoptoreg aclcrt_Secure-offloading-3
use_backend RemoteHelp25_http_ipvANY  if  remotehelp aclcrt_Secure-offloading-3
use_backend WEBServer14_http_ipvANY  if  aclcrt_Secure-offloading-3

backend WebServer214_http_ipvANY
mode http
log global

use mailers

level  alert

timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server WebServer214 192.168.120.214:80 check inter 1000

backend frontend3-offloading_https_ipvANY
mode tcp
log global

use mailers

level  alert

timeout connect 30000
timeout server 30000
retries 3
server frontend3-srv /Secure-offloading-3.socket send-proxy-v2-ssl-cn check inter 5000