GitLab behind reverse proxy with Let's Encrypt managed by GitLab

I’m trying to set up GitLab behind a reverse proxy (HAProxy), where GitLab is managing the Let’s encrypt certificate. I do not want to terminate SSL at the reverse proxy.

I started with an installation of Omnibus GitLab Community Edition [12.8.0] with an external url with HTTPS. So far everything worked: I can access the webinterface via HTTPS using the external url. Now I want to put GitLab behind a reverse proxy (HAProxy) and I have set up the following configuration (/etc/haproxy/haproxy.cfg):

backend gitlab-http
mode http
balance roundrobin
option forwardfor
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server gitlab 127.0.0.1:85 check

backend gitlab-https
mode tcp
balance roundrobin
option forwardfor
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
option ssl-hello-chk
server gitlab 127.0.0.1:450 check

frontend http
bind *:80
mode http

acl host_gitlab hdr(host) -i gitlab.somedomain.com
use_backend gitlab-http if host_gitlab

frontend https
bind *:443
mode tcp

tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }

acl host_gitlab req_ssl_sni -i gitlab.somedomain.com
use_backend gitlab-https if host_gitlab

Now I’m not able to figure out how to configure GitLab to listen on ports 85 and 450 instead of 80 and 443. Just setting one of them with nginx[‘listen_port’] does not work: For example, if I set the port to 450, then I get a “Secure connection failed” error message in the browser (for HTTPS) while HTTP obviously does not get any response at all (error 503). It seems that GitLab does not expect HTTPS on that port, which makes sense, since I never told it to. How can I do that?

I have used to above configuration for other services (Nextcloud) with success. But in that case I was able to set HTTP and HTTPS listening ports (of Nextcloud) to the correct backend ports.

I do not have much experience with these topics and would greatly appreciate any help!