I'm using haproxy with stunnel handling SSL (and using the proxy mode to preserve the original IP from haproxy).

I have several acl tests that redirect to different backends depending on the domain, headers, or path.

The problem is that these are identical whether you're coming in via http or https, but I have to duplicate them in the config. Is there any way to reduce the duplication?

Here's a sample config:

global
    user haproxy
    group haproxy
    #etc...

frontend http-in
    bind *:80

    acl files_path path_beg /files/
    acl beta_host hdr_beg(host) -i beta.

    use_backend files if files_path
    use backend beta_host
    default_backend appservers

frontend https-in
    bind *:442 accept-proxy

    acl files_path path_beg /files/
    acl beta_host hdr_beg(host) -i beta.

    use_backend files if files_path
    use backend beta_host
    default_backend appservers


backend appservers
    balance roundrobin
    option forwardfor

    server appserver_1 localhost:8080 weight 1
    server appserver_2 192.168.1.101:8080 weight 1

backend files
    balance roundrobin
    option forwardfor
    server file1 192.168.1.102 weight 1
    server file2 192.168.1.103 weight 1

backend beta
    balance roundrobin
    server beta1 192.168.1.104 weight 1

The http-in and https-in have different ports, and the https-in has to sepcify accept-proxy so that stunnel can use the proxy protocol to pass it the original IP of the user. But other than that they are identical, and should always be identical. Is there any way to reduce this duplication? (haproxy 1.5-dev)

you could simply bind one http in frontend to both.

frontend http-in
  bind *:80
  bind 0.0.0.0:443 transparent

Unfortunately, haproxy manual (http://haproxy.1wt.eu/download/1.5/doc/configuration.txt) stays that acl can be defined only in frontend, listen and backend sections.

If https and http frontends are same, you can define few bind sentences in one frontend.