error_log /dev/stderr;

stream {
    map $ssl_client_verify $name {
        SUCCESS sstp;
        default https;
    }

    upstream https {
        server ${HTTPS_UPSTREAM}:443;
    }

    upstream sstp {
        server ${SSTP_UPSTREAM}:443;
    }

    server {
        listen 443 ssl;
        listen [::]:443 ssl;

        ssl_certificate /etc/nginx/certs/cert.pem;
        ssl_certificate_key /etc/nginx/certs/privkey.pem;

        ssl_trusted_certificate /etc/nginx/certs/${CA_CERT};
        ssl_verify_client optional;

        proxy_half_close on;

        # Doesn't work without it
        proxy_ssl on;
        proxy_ssl_session_reuse off;

        proxy_pass $name;
        ssl_preread on;
        proxy_protocol on;
    }
}