Figured it out on my own! I’ll post my haproxy config now:
global
# rsyslog is required for logging
#log /var/log local0
#log /var/log local1 notice
maxconn 64
log 127.0.0.1 local0 notice
# Jail directory
chroot /var/lib/haproxy
stats socket /run/haproxy.sock mode 660 level admin
stats timeout 30s
user root
group root
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend https-in
bind *:80
bind *:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend lighttpd_backend if { req_ssl_sni -i example.com }
use_backend gitea_backend if { req_ssl_sni -i git.example.com }
backend lighttpd_backend
mode tcp
server lighttpd_server 127.0.0.1:8080 check
backend gitea_backend
mode tcp
server gitea_server 127.0.0.1:3000 check
# Admin web page
#listen stats
#bind *:4264
#stats enable
#stats uri /
#stats hide-version
#stats auth admin:dietpi