the haproxy is conforming to the following setup:
http://blog.haproxy.com/2012/04/13/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
Look for:
Choose a server using SNI: aka SSL routing
No certificates available to haproxy, so no decoding and/or adding removing headers.
disecting of traffic is purely based on SSL Client Hello providing an SNI.
(tcp mode forwarding)