haproxy + ssl -> varnish -> back to haproxy for loadbalancing to --> backend0/1/2 (webhost)

default.vcl

# This versions uses ELB loadbalancing
# The ELB points to these two HAProxy hosts 
# The C-name of the Domain points to the ELB
# ELB -> HAPROXY 1 or 2 -> Varnish --> HIT or MISS  --> HAPROXY 1 or 2 -> Backend 1/2/3
vcl 4.0;
import directors;
backend haproxy1 {
    .host = "172.31.xx.235"; # back to HAPROXY-1 internal address
    .port = "8080";
    .probe = {
                .url = "/";
                .interval = 5s;
                .timeout = 1 s;
                .window = 5;
                .threshold = 3;
    }
}
backend haproxy2 {
    .host = "172.31.xx.68"; # back to HAPROXY-2 internal address
    .port = "8080";
    .probe = {
                .url = "/";
                .interval = 5s;
                .timeout = 1 s;
                .window = 5;
                .threshold = 3;
   }
}

sub vcl_init {
    new vdir = directors.round_robin();
    vdir.add_backend(haproxy1);
    vdir.add_backend(haproxy2);
}

sub vcl_recv {

    if (req.http.Cookie) {
      unset req.http.Cookie;
    }
    if (req.http.Accept-Encoding) {
        if (req.url ~ "\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$") {
            # No point in compressing these
            unset req.http.Accept-Encoding;
        } elsif (req.http.Accept-Encoding ~ "gzip") {
            set req.http.Accept-Encoding = "gzip";
        } elsif (req.http.Accept-Encoding ~ "deflate" && req.http.user-agent !~ "MSIE") {
            set req.http.Accept-Encoding = "deflate";
        } else {
            # unkown algorithm
            unset req.http.Accept-Encoding;
        }
    }

}

sub vcl_backend_response { # old fetch

    set beresp.http.x-url = bereq.url;
    set beresp.ttl = 300s;

    if (beresp.status == 404) {
    	set beresp.ttl = 0s;
    }
}

sub vcl_deliver {
    if (obj.hits > 0) { # Add debug header to see if it's a HIT/MISS and the number of hits, disable when not needed
        set resp.http.X-Cache = "HIT";
    } else {
        set resp.http.X-Cache = "MISS";
    }
    # Please note that obj.hits behaviour changed in 4.0, now it counts per objecthead, not per object
    # and obj.hits may not be reset in some cases where bans are in use. See bug 1492 for details.
    # So take hits with a grain of salt
    set resp.http.X-Cache-Hits = obj.hits;
    unset resp.http.x-url;
    set resp.http.Access-Control-Allow-Origin = "*";
}

haproxy.cfg

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    tune.ssl.default-dh-param 4096
    ssl-default-bind-ciphers  EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
    ssl-default-bind-options no-sslv3 no-tlsv10 # SSLLabs secure
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    maxconn                 3000
    option                  forwardfor
    option                  http-server-close
#    http-reuse              always  # only available in newer 1.6 versions
    timeout connect 5000
    timeout client  50000
    timeout server  50000

# stat page
   stats enable
   stats uri /stats
   stats realm Haproxy\ Statistics
   stats auth user:password

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend  incoming
    bind    :80 
    bind    :443 ssl crt /etc/haproxy/certs/yourcert.pem
    reqadd X-Forwarded-Proto:\ https # Adds https header to end of HTTPS request
    redirect scheme https if !{ ssl_fc }  # redirects http to https if  not using ssl already
    rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
    default_backend    varnish # forward any traffic to varnish

frontend returning-varnish # returning traffic from varnish
    bind 172.31.xx.235:8080 # listening on internal ip
    default_backend    webhost # all trafic goes to loadbalanced webhosts
    acl url_randomimage path_beg /random_image.png # if request goes to this specific url 
    use_backend randomimage if url_randomimage # use another backend

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend varnish
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    server varnish 172.31.xx.254:80 check

backend webhost
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    server  backend-0 172.31.xx.176:80 check
    server  backend-1 172.31.xx.174:80 check
    server  backend-2 172.31.xx.47:80 check

backend randomimage
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    server  backend-0 172.31.xx.176:80 check