haproxy supports ssl backends, but this feature is not exposed in the configuration options.
vyos generates this for the backend configuration in /var/run/haproxy/haproxy.cfg
backend xyz balance roundrobin option forwardfor http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } mode http server xyz 1.1.1.1:8443
But on the server line one can change it like this to support ssl
backend xyz balance roundrobin option forwardfor http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } mode http server xyz 1.1.1.1:8443 ssl verify none
Which is really two additional options, one to turn on ssl, and one to not verify the certificate. The use case here is putting a valid ssl certificate using lets encrypt in front of an embedded service that only has a privately signed certificate using vyos reverse-proxy feature, and that underlying service is not easily given a real cert. But I suppose this would also be useful for path based re-redirects to ssl using backends also.
I did change /var/run/haproxy/haproxy.cfg file manually and it works fine, but obviously that is not optimal.
If someone gives a couple of pointers on where/how to perform this work I would be willing to put together an MR.
Thanks