diff --git a/templates/haproxy_cfg.jinja2 b/templates/haproxy_cfg.jinja2
index 12244b96071c7123f84d9e0f9dfe327ef684cf77..bb4892236af080280e03409c2561469671493bab 100644
--- a/templates/haproxy_cfg.jinja2
+++ b/templates/haproxy_cfg.jinja2
@@ -65,6 +65,14 @@ frontend http_in
   http-request deny if { {{ rule }} }
 {% endfor %}
   http-request set-header x-routing-host undefined
+{% for cert in proxy_certificates %}
+{% if cert.active|default(true) %}
+{% if cert.wildcard|default(false) and cert.wildcard_host is defined %}
+  http-request set-header x-routing-host {{ cert.wildcard_host }} if { hdr(host) -m end -i '.{{ cert.domain }}' }
+  use_backend backend_redirect_ssl if { hdr(host) -m end -i '.{{ cert.domain }}' }
+{% endif %}
+{% endif %}
+{% endfor %}
   acl letsencrypt_challenge path_beg /.well-known/acme-challenge/
   http-request set-header x-routing-host maintenance if !letsencrypt_challenge { hdr(x-routing-host) undefined } { hdr(host) -i -n -f /etc/haproxy/maintenance.list }
   http-request redirect code 301 location %[base,lower,map(/etc/haproxy/redirect.domain-and-path.map)] if !letsencrypt_challenge { base,lower,map(/etc/haproxy/redirect.domain-and-path.map) -m found }
@@ -242,6 +250,9 @@ frontend https_in_{{ cert.ip }}
   http-request deny if { {{ rule }} }
 {% endfor %}
   http-request set-header x-routing-host undefined
+{% if cert.wildcard|default(false) and cert.wildcard_host is defined %}
+  http-request set-header x-routing-host {{ cert.wildcard_host }} if { hdr(x-routing-host) undefined } { hdr(host) -m end -i '.{{ cert.domain }}' }
+{% endif %}
   http-request set-header x-routing-host maintenance if { hdr(x-routing-host) undefined } { hdr(host) -i -n -f /etc/haproxy/maintenance.list }
 {% for host in groups['all']|sort %}
 {% for redirect in hostvars[host].proxy_redirect|default([]) %}