TLS passthrough proxy

Using nginx as a TLS passthrough proxy: Proxy to different backends based on the TLS server name indication (SNI).

stream {
    map $ssl_preread_server_name $name {
        backend.example.com  backend;
        backend2.example.com backend2;
        default              default_backend;
    }

    upstream backend {
        server 10.0.0.1:443;
    }

    upstream backend2 {
        server 10.0.0.2:443;
    }

    upstream default_backend {
        server 10.0.0.3:443;
    }

    server {
        listen 443;
        proxy_pass $name;
        ssl_preread on;
    }
}

On Debian and alike it requires an additional package: libnginx-mod-stream

More: https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

Today I Learned

TLS passthrough proxy