global
    log /dev/log local0
    log 127.0.0.1 local2
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
    maxconn 10000

defaults
    log global
    mode tcp
    option dontlognull
    timeout connect 5s
    timeout client  3600s
    timeout server  3600s

frontend https-in
    bind *:443
    mode tcp
    option tcplog

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    acl is_docker      req_ssl_sni -i -m end .docker.mydomain.com
    acl is_k8s         req_ssl_sni -i -m end .mydomain.com

    # More specific wins → put docker rule first
    use_backend docker_backend   if is_docker
    use_backend k8s_backend      if is_k8s

    default_backend k8s_backend

backend k8s_backend
    mode tcp
    server k8s-ingress 192.168.1.141:443 check inter 10s fall 3 rise 2

backend docker_backend
    mode tcp
    server docker-proxy 192.168.1.135:443 check inter 10s fall 3 rise 2