Help with haproxy configuration

Good day

I am looking to implement haproxy and could use some help.

Here is the environment:
Web server: at with an A record pointing to
Mail server: at with an A record pointing to

Currently, I have setup firewall rules to forward port 80 and 443 to the web server, and SMTP, IMAP etc to the mail server.

The mail web client is accessible from (i.e.

My web server is running apache. There I have created a configuration for zimbra (my mail server) which looks like this:

<VirtualHost *:443>
    SSLProxyEngine ON
    SSLEngine On
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!RSA:!RC4
    SSLHonorCipherOrder on
    SSLCertificateFile /ssl2buy/2021/STAR_domain_net.crt <- Note, this is the certificate of the web server
    SSLCertificateKeyFile /ssl2buy/2021/domain.key
    SSLCertificateChainFile /ssl2buy/2021/SectigoRSADomainValidationSecureServerCA.crt
    ProxyPass        "/" ""  connectiontimeout=30000 timeout=30000
    ProxyPassReverse "/" ""
    RewriteRule ^/(.*)$1 [P]
    ErrorLog "/var/log/httpd/zimbra/zimbra-error.log"
    CustomLog "/var/log/httpd/zimbra/zimbra-custom.log" combined

Everything works as advertised. I can access the zimbra web client by going to:

Now I would like to implement haproxy.

Here are the steps which I think I have followed. For testing purpose, I have left the firewall rules in place (i.e. port 80 & 443 being forwarded to i.e.

# Global settings
   log local1

chroot      /var/lib/haproxy
pidfile     /var/run/
maxconn     4000
user        nobody
group       nobody

# turn on stats unix socket
stats socket /var/lib/haproxy/stats

# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
mode                    http
log                     global
option                  httplog
option                  dontlognull
option http-server-close
option forwardfor       except
option                  redispatch
retries                 3
timeout http-request    30s
timeout queue           1m
timeout connect         10s
timeout client          1m
timeout server          1m
timeout http-keep-alive 10s
timeout check           10s
maxconn                 3000

listen stats
    bind :9000
    mode http
    stats enable
    stats uri /
    stats auth <username>:<password>
    stats refresh 30

frontend https-in
  bind :2443 ssl crt /etc/haproxy/STAR_domain_net.pem
  acl zimbra_mail hdr(Host) -i
  use_backend zimbra_server if zimbra_mail
  default_backend web_server

backend web_server

backend zimbra_server
  server send-proxy

Next, I try to access the zimbra server by going to:

but I get: “The connection has timed out”

A tail -f /var/log/haproxy shows this:

Sep 24 09:25:38 localhost haproxy[27654]: Proxy https-in started.
Sep 24 09:25:38 localhost haproxy[27654]: Proxy web_server started.
Sep 24 09:25:38 localhost haproxy[27654]: Proxy zimbra_server started.

What am I doing wrong?