EDIT 07-march-2014 as per Kyler’s note (thanks Kyler):
The following should help people patch v4.44 like I did.

apt-get install gcc build-essential libssl-dev
cd /usr/local/src/
wget http://mirrors.zerg.biz/stunnel/archive/4.x/stunnel-4.44.tar.gz
tar xzf stunnel-4.44.tar.gz
cd stunnel-4.44
patch -p1 < ../stunnel-4.44-xforwarded-for.diff
./configure
make
make install

also: oops, don’t forget to download the patch direct from haproxy. Also the zerg.biz link above is a mirror posted on stunnel.org for archives. You can use any mirror. http://haproxy.1wt.eu/download/patches/
Again, Thanks Kyler
END EDIT

this article should have been called "what i learned while trying to setup https with haproxy".

after enough googling i came up to the decision to do https through stunnel then send straight http to haproxy.

clean and simple.

what i did not know is that you need to add reqadd X-Forwarded-Proto:\ https to the haproxy configs which is brought over from stunnel.

problem is that they only recently (as of time of writing) merged X-Forwarded-Proto into the latest release of stunnel (4.45).

here are my configs with some explanations below
haproxy.cfg:

global
      maxconn 4096
      pidfile /var/run/haproxy.pid
      daemon

defaults
      mode http
      retries 3
      option redispatch
      maxconn 2000
      contimeout 5000
      clitimeout 50000
      srvtimeout 50000

listen HTTP *:80
      mode http
      cookie HTTP insert nocache
      balance roundrobin
      option httpclose
      option forwardfor
      stats enable
      stats auth myuser:mypass
        reqadd X-Forwarded-Proto:\ http
      server SERVER_A xxx.xxx.xxx.xxx:8080 cookie http_01 check
      server SERVER_B xxx.xxx.xxx.xxx:8080 cookie http_02 check

listen HTTPS *:8081
      mode http
      cookie HTTP insert nocache
      balance roundrobin
      option httpclose
      option forwardfor
      stats enable
      stats auth myuser:mypass
        reqadd X-Forwarded-Proto:\ https
      server SERVER_A xxx.xxx.xxx.xxx:8080 cookie http_01 check
      server SERVER_B xxx.xxx.xxx.xxx:8080 cookie http_02 check

stunnel.cfg:

sslVersion = all
options = NO_SSLv2
cert=/etc/stunnel/stunnel.pem
setuid = root
setgid = root
pid = /var/run/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
output = /var/log/stunnel.log

[https]
        accept = 443
        connect = 8081
        xforwardedfor=yes
        TIMEOUTclose = 0

as you can see by the two configs there is nothing special -- two app servers and one load balancer handling minimal amounts of traffic and only accepting traffic from 80 & 443.
the xxx.xxx.xxx.xxx's would obviously be changed to the addresses of the listening balanced servers and of course change the myuser / mypass credentials.
stunnel catches all the fun stuff on 443 and forwards it to haproxy over 8081.

only thing that had to be ensured was that the ec2 fw was open, but thats another article all together.