haproxy two applications on the same port with different certificates

I am setting up haproxy. My config is:

frontend bothApps
        bind *:9999
        mode http
        acl prov path_end -i /prov-0.0.1-SNAPSHOT/
        acl web path end -i /web-0.0.1-SNAPSHOT/
        acl prov1 path_end -i /prov-0.0.1-SNAPSHOT/testAuthenticated.html
        acl web1 path_end -i /web-0.0.1-SNAPSHOT/testAuthenticated.html
        use_backend focus if prov
        use_backend focus if prov1
        use_backend cnt if web
        use_backend cnt if web1

and it works correctly without https. Now I would like to add https but both apps should call haproxy on port 8443 (https://localhost:8443/prov-0.0.1-SNAPSHOT and https://localhost:8443/web-0.0.1-SNAPSHOT) but with different certificates - prov(haproxyPROV.pem), web(haproxyWEB.pem). How can I configure it?

I tried:

frontend https
        bind *:8443 ssl crt /etc/haproxy/haproxyWEB.pem
        mode http

but here I can just have one certificate per port

Solution 1:

You can use more than once certificate on one port:

frontend foo
    bind *:8443 ssl crt /path/to/cert1.pem crt /path/to/cert2.pem

Haproxy uses TLS SNI to match certificate to connection (if SNI is not present or not match is found, then first certificate on bind line is used (cert1.pem in above example)). So to achieve your goal you would have to point two different domain names to this host:port. Like web.example.com and prov.example.com pointing to the same host. That's what all those comments are about i guess.
Side note, you use path_end in your ACLs, like acl prov path_end -i /prov-0.0.1-SNAPSHOT/, but that will match also /foobar/prov-0.0.1-SNAPSHOT/ and /web-0.0.1-SNAPSHOT/prov-0.0.1-SNAPSHOT/, which may or may not be what you want. Usually path or path_beg are more fitting.