# Nginx TLS SNI routing, based on subdomain pattern
Nginx can be configured to route to a backend, based on the server's domain name, which is included in the SSL/TLS handshake (Server Name Indication, SNI).  
This works for http upstream servers, but also for other protocols, that can be secured with TLS.  

This was tested with the `nginx:1.15.9-alpine` docker image.

## non terminating, TLS pass through
Pass the TLS stream to an upstream server, based on the domain name from TLS SNI field. This does not terminate TLS.  
The upstream server can serve HTTPS or other TLS secured TCP responses.
```nginx
stream {  

  map $ssl_preread_server_name $targetBackend {
    ab.mydomain.com  upstream1.example.com:443;
    xy.mydomain.com  upstream2.example.com:443;
  }   
 
  server {
    listen 443; 
        
    proxy_connect_timeout 1s;
    proxy_timeout 3s;
    resolver 1.1.1.1;
    
    proxy_pass $targetBackend;       
    ssl_preread on;
  }
}
```

## terminating TLS, forward TCP
Terminate TLS and forward the plain TCP to the upstream server.
```nginx
stream {  

  map $ssl_server_name $targetBackend {
    ab.mydomain.com  upstream1.example.com:443;
    xy.mydomain.com  upstream2.example.com:443;
  }

  map $ssl_server_name $targetCert {
    ab.mydomain.com /certs/server-cert1.pem;
    xy.mydomain.com /certs/server-cert2.pem;
  }

  map $ssl_server_name $targetCertKey {
    ab.mydomain.com /certs/server-key1.pem;
    xy.mydomain.com /certs/server-key2.pem;
  }
  
  server {
	  listen 443 ssl; 
    ssl_protocols       TLSv1.2;
    ssl_certificate     $targetCert;
    ssl_certificate_key $targetCertKey;
        
    proxy_connect_timeout 1s;
    proxy_timeout 3s;
    resolver 1.1.1.1;
      
    proxy_pass $targetBackend;
  } 
}

```
Use at least nginx 1.15.9 to use variables in ssl_certificate and ssl_certificate_key.