haproxy tls termination with client authentication

haproxy.cfg

# Please set $SRV_TLS_CERT, $SRV_TLS_CA accordingly. 
global
    maxconn 2048
    log /dev/log    local0
    log /dev/log    local1 notice
    tune.ssl.default-dh-param 2048
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-bind-options no-tls-tickets
    chroot /var/lib/haproxy
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL).
    ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL

defaults 
    mode http
    option http-no-delay
    option http-keep-alive
    option tcp-smart-accept
    option tcp-smart-connect
    option tcpka    
    retries    2
    option redispatch
    timeout check 4500
    timeout connect 10s
    timeout server 50s
    timeout client 50s
    timeout tunnel 1h

frontend tls-term
    bind 0.0.0.0:5443 ssl crt "$SRV_TLS_CERT" ca-file "$SRV_TLS_CA" verify required no-sslv3 no-tlsv10 no-tlsv11
    use_backend three

backend three
    server proxy 127.0.0.1:8080 check