diff --git a/pkg/controller/config.go b/pkg/controller/config.go
index f82370e52..e2d9d6e83 100644
--- a/pkg/controller/config.go
+++ b/pkg/controller/config.go
@@ -47,6 +47,7 @@ type haConfig struct {
 	userlists         map[string]types.Userlist
 	haServers         []*types.HAProxyServer
 	haDefaultServer   *types.HAProxyServer
+	haPassthrough     []*types.HAProxyPassthrough
 	haproxyConfig     *types.HAProxyConfig
 }
 
@@ -71,6 +72,7 @@ func newControllerConfig(ingressConfig *ingress.Configuration, haproxyController
 		TCPEndpoints:        cfg.ingress.TCPEndpoints,
 		UDPEndpoints:        cfg.ingress.UDPEndpoints,
 		PassthroughBackends: cfg.ingress.PassthroughBackends,
+		HAPassthrough:       cfg.haPassthrough,
 		Cfg:                 cfg.haproxyConfig,
 	}, nil
 }
@@ -172,7 +174,16 @@ func configForwardfor(conf *types.HAProxyConfig) {
 
 func (cfg *haConfig) createHAProxyServers() {
 	haServers := make([]*types.HAProxyServer, 0, len(cfg.ingress.Servers))
+	haPassthrough := make([]*types.HAProxyPassthrough, 0, len(cfg.ingress.PassthroughBackends))
 	var haDefaultServer *types.HAProxyServer
+	for _, server := range cfg.ingress.PassthroughBackends {
+		haServer := &types.HAProxyPassthrough{
+			Hostname:           server.Hostname,
+			Backend:            server.Backend,
+			HostnameIsWildcard: idHasWildcard(server.Hostname),
+		}
+		haPassthrough = append(haPassthrough, haServer)
+	}
 	for _, server := range cfg.ingress.Servers {
 		if server.SSLPassthrough {
 			// remove SSLPassthrough hosts from haServers array
@@ -227,7 +238,13 @@ func (cfg *haConfig) createHAProxyServers() {
 		}
 		return a < b
 	})
+	sort.SliceStable(haPassthrough, func(i, j int) bool {
+		// Move hosts without wildcard to the top
+		// if not isWildcard means priority, if isWildcard means less priority
+		return !haPassthrough[i].HostnameIsWildcard && haPassthrough[j].HostnameIsWildcard
+	})
 	cfg.haServers = haServers
+	cfg.haPassthrough = haPassthrough
 	cfg.haDefaultServer = haDefaultServer
 }
 
diff --git a/pkg/types/types.go b/pkg/types/types.go
index 5254337b6..e79cf7e4b 100644
--- a/pkg/types/types.go
+++ b/pkg/types/types.go
@@ -40,6 +40,7 @@ type (
 		TCPEndpoints        []ingress.L4Service
 		UDPEndpoints        []ingress.L4Service
 		PassthroughBackends []*ingress.SSLPassthroughBackend
+		HAPassthrough       []*HAProxyPassthrough
 		Cfg                 *HAProxyConfig
 		BackendSlots        map[string]*HAProxyBackendSlots
 	}
@@ -146,6 +147,12 @@ type (
 		HAWhitelist          string              `json:"whitelist,omitempty"`
 		HARateLimitWhiteList string              `json:"rateLimitWhiteList,omitempty"`
 	}
+	// HAProxyPassthrough has SSL passthrough configurations
+	HAProxyPassthrough struct {
+		Hostname           string `json:"hostname"`
+		Backend            string `json:"backend"`
+		HostnameIsWildcard bool   `json:"hostnameIsWildcard"`
+	}
 	// HAProxyBackendSlots contains used and empty backend server definitions
 	HAProxyBackendSlots struct {
 		// map from ip:port to server name
diff --git a/rootfs/etc/haproxy/template/haproxy.tmpl b/rootfs/etc/haproxy/template/haproxy.tmpl
index 08b3536f6..7aba64001 100644
--- a/rootfs/etc/haproxy/template/haproxy.tmpl
+++ b/rootfs/etc/haproxy/template/haproxy.tmpl
@@ -140,9 +140,13 @@ frontend httpsfront
 {{- end }}
 {{- end }}
 
-{{- range $server := $ing.PassthroughBackends }}
+{{- range $server := $ing.HAPassthrough }}
+{{- if $server.HostnameIsWildcard }}
+    use_backend {{ $server.Backend }} if { req.ssl_sni -m reg -i {{ hostnameRegex $server.Hostname }} }
+{{- else }}
     use_backend {{ $server.Backend }} if { req.ssl_sni -i {{ $server.Hostname }} }
 {{- end }}
+{{- end }}
 
 {{- range $server := $ing.HAServers }}
 {{- if $server.IsCACert }}