How do I set up HAProxy Behind Cloudfront for Jenkins

Question

Ok the network so far is

end user (https)-> cloudfront (http)-> haproxy (http)-> jenkins

My jenkins install mostly works but I see the error about proxy not being set up correctly, and I experience https://issues.jenkins-ci.org/browse/JENKINS-14313

I've read the following, but encountered some confusing issues.

1. https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+HAProxy
2. https://gist.github.com/xelwarto/ac4f8b43e4194355082c

This is what I've come up with so far

defaults
    mode http
    retries 3
    timeout connect 120s
    timeout client 60s
    timeout server 60s
resolvers docker
    nameserver dns "127.0.0.11:53"
frontend web
    bind *:8080
    default_backend jenkins
backend jenkins
    cookie SERVERID insert indirect nocache
    server jenkins jenkins:8080 check cookie s1 resolvers docker resolve-prefer ipv4
    acl h_cfp_exists req.hdr(CloudFront-Forwarded-Proto) -m found
    acl response-is-redirect res.hdr(Location) -m found
    http-request set-header X-Forwarded-Proto https if h_cfp_exists

Here's the headers(headers have had their domain and secure strings mangled, slashes and names preserved) received by jenkins

    POST /j_acegi_security_check HTTP/1.1
    Host: jenkins.default.mydomain.tld
    X-Amz-Cf-Id: _UoBjzMmiJvkMZOnRbt6Ai2rBZ4hm1jAz_5IGAi3OwI9TxQ5tCW5Bg==
    Content-Length: 339
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 OPR/49.0.2725.64
    Via: 2.0 9a063989aee4dbd9381a2cf612c17c08.cloudfront.net (CloudFront)
    Cookie: JSESSIONID.0262fa7d=node01f8yc6mw0a5p6gv09wvy275j610.node0; JSESSIONID.9f7e10bd=node01i3tan71bopiv2ufhmos5dccq83.node0; JSESSIONID.d3f1b83b=node0nqkbin0vx70f12cdr9kmgatyk6.node0
    X-Forwarded-For: 2605:6000:1025:bd:31c7:df4d:6bd6:8b9c
    CloudFront-Is-Mobile-Viewer: false
    CloudFront-Is-Tablet-Viewer: false
    CloudFront-Is-SmartTV-Viewer: false
    CloudFront-Is-Desktop-Viewer: true
    CloudFront-Viewer-Country: US
    Accept-Language: en-US,en;q=0.9
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    Referer: https://jenkins.default.mydomain.tld/
    CloudFront-Forwarded-Proto: https
    Accept-Encoding: gzip, deflate, br
    cache-control: max-age=0
    origin: https://jenkins.default.mydomain.tld
    upgrade-insecure-requests: 1
    content-type: application/x-www-form-urlencoded
    X-Forwarded-Proto: https

and the response as received by the browser

content-length:0
date:Wed, 10 Jan 2018 15:45:21 GMT
expires:Thu, 01 Jan 1970 00:00:00 GMT
location:https://jenkins.default.mydomain.tld/
server:Jetty(9.4.z-SNAPSHOT)
set-cookie:JSESSIONID.d3f1b83b=node01o.node0;Path=/;Secure;HttpOnly
set-cookie:ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE=Y2N1c2hpbmc6MTUxNjgwODcyMTQ5OTpmMmIzNDVkYjE2ODdhRlMGJmNWYz;Path=/;Expires=Wed, 24-Jan-2018 15:45:21 GMT;Max-Age=1209600;Secure;HttpOnly
status:302
via:1.1 6d16d2818.cloudfront.net (CloudFront)
x-amz-cf-id:WZMDdUGVK4fRg6E04gN2sr9RIgKDqeK0-kAANBbeu7eB3uFv9cAkQw==
x-cache:Miss from cloudfront
x-content-type-options:nosniff

I then see a subsequent GET /login HTTP/1.1 but I don't understand why it'd be doing that. Also possibly of interest, there is no default view set in configure globals, in fact the configuration for that seems to be absent. accessed over http, via haproxy everything is fine well the warning still shows, seems I can fix that by setting the jenkins uri to use http://IP:port.

how do I fix my haproxy setup such that jenkins login will not show the login form where the dashboard should be? can anyone explain the transformations that need to be done in a proxy technology agnostic way and why (.e.g. examples seem to show 127.0.0.1:8080, but htat's obviously not going to work for me, however since Location is returning https, I'm not sure why I'd need to do anything like that)?