If I understand correctly, your setup uses a reverse proxy in front of the target servers (one reverse proxy used to access
exemplo.com and
exemplo.net from your example).
To handle ssl correctly, it is advised to do the ssl-termination at the reverse proxy (meaning that the proxy will require access to the certificates and will be the one negotiating the connection). If you really want to, you can do this without terminating the ssl session using ha-proxy, but I won't cover that here since I assume that's not what you meant.
If you have a static setup with a reasonable number of servers, you can just configure this manually and nginx will do most of the work - specify the server name in the site config file and listen for ssl connections and nginx will redirect the requests without the need for a balancer by lua.
If you need to support many different servers, look into the ssl_certificate_by_lua* directives. They let you know which server name was requested and specify the certificate and key to use in a very effective way.
Best regards,
-Itamar