Hello Friends,

I am on a mission. I want a load-balancing reverse-proxy-by-SNI for multiple domains over HTTPS, where each domain runs a group of separate ReSTful webapp servers via proxy-by-name.

At this point, some of you are asking, "What???" and some more of you are asking "Why???" Let me try to answer both questions.

Each of N apps has its own URL for HTTPS: https://www.app-1.org, https://www.app-2.org, https://www.app-3.org, ... https://www.app-N.org and each of these N domains is is served by M separate but equivalent servers. So there exists a total of N*M servers. (More generally, each app may have a distinct number of servers, but that does not matter now.)

Now you say, "Easy! Use SNI." Then I say, "Thanks, but I do not want to terminate SSL on the load-balancer." I need communication to remain encrypted all the way to the app servers. So I need the app servers to negotiate SSL, which means each app servers will need to serve a copy of the cert for its domain. The nginx is just doing ordinary load-balancing but with a twist: the server pool is partitioned on the domains and matched to the SNI data.

All I want from nginx is Layer 4 routing using information leaked (by design) from Layer 7 by SNI. Said another way, I want nginx to use the SNI information provided by the User Agent to *route* the request but *defer* TLS/SSL negotialion to the upstream server. So I'm actually asking nginx to do *less* work than usual with SNI.

Can I do this with nginx?

Thank you for reading, and thank you for your help.