HAproxy forward proxy with SSL termination

Question

Problem:

Iam trying to build a forward proxy with ssl termination, further it upstreams to my proxy servers eg: TOR. My upstream proxy services are non-https.

Client -> Network-Haproxy -> Uptstream-Proxy -> Internet

I could easily succeed in tcp mode of HAproxy without ssl termination, but when I terminate ssl and forward, things don't work.

Steps Followed:

I followed the below steps to generate self-certified ssl certificates.

$ openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout haproxy-ca-key.pem -out haproxy-ca-cert.pem -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com"

combined them for creating final .pem file

$ cat haproxy-ca-cert.pem haproxy-ca-key.pem >> mysite.pem

The above file is used in my haproxy.cfg for ssl termination.

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256::RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
    log global
    mode    http
    option  httplog
    option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

    stats enable
    stats uri /stats
    stats realm Haproxy\ Statistics
    stats auth user:password


frontend www.mysite.com
    mode http
    bind 0.0.0.0:8443
    bind 0.0.0.0:443 ssl crt /home/ubuntu/haproxy/mysite.pem crt-ignore-err all
    redirect scheme https if !{ ssl_fc }
    default_backend web_servers

backend web_servers
    mode http
    balance roundrobin
    server server1 xx.xx.xx.xx:xxxx #my upstream server which is not ssl protected

When I try to curl from my client machine to use the above proxy I get following error.

$ curl -k --proxy https://my-haproxy-server:443 --cacert haproxy-ca-cert.pem  https://httpbin.org/ip -vvv
*   Trying my-haproxy-server...
* TCP_NODELAY set
* Connected to my-haproxy-server (my-haproxy-server) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

If you have read the cfg file, you can see I have redirected :8443 to :443, so I can send request to non https proxy, but that too doesn't work

$ curl -k --proxy http://my-haproxy-server:8443 --cacert haproxy-ca-cert.pem  https://httpbin.org/ip -vvv
*   Trying my-haproxy-server...
* TCP_NODELAY set
* Connected to my-haproxy-server (my-haproxy-server) port 8443 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to httpbin.org:443
> CONNECT httpbin.org:443 HTTP/1.1
> Host: httpbin.org:443
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 302 Found
< content-length: 0
< location: https://httpbin.org:443/
< cache-control: no-cache
< connection: close
< 
* Received HTTP code 302 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Received HTTP code 302 from proxy after CONNECT

Any lead would be appreciated.

Extra Info:

• HAPROXY: HA-Proxy version 2.0.13-1ppa1~bionic 2020/02/15 - https://haproxy.org/
• OPENSSL: OpenSSL 1.1.1 11 Sep 2018
• CURL: curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3