error_log /dev/stderr;

stream {
    log_format stream '"$ssl_preread_server_name" $remote_addr [$time_local] '
                      '$protocol $status $bytes_sent $bytes_received "$upstream_addr" '
                      '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

    map $ssl_preread_server_name $sni_name {
            ${SNI_NAME} cert-check;
            default https;
        }

    upstream https {
        server ${HTTPS_UPSTREAM}:443;
    }

    upstream cert-check {
        server unix:/tmp/virtual-stream.socket;
    }

    server {
        listen 443;
        listen [::]:443;

        access_log /dev/stdout stream;

        proxy_pass $sni_name;
        ssl_preread on;
        # todo nginx-proxy by default don't listen proxy_protocol, enable it in both sides
        #proxy_protocol on;
    }

    map $ssl_client_verify $name {
        SUCCESS sstp;
        default fallback;
    }

    upstream sstp {
        server ${SSTP_UPSTREAM}:443;
    }

    upstream fallback {
        server unix:/tmp/fallback-stream.socket;
    }

    server {
        listen unix:/tmp/virtual-stream.socket ssl;

        ssl_certificate /etc/nginx/certs/${SNI_NAME}/${CERT};
        ssl_certificate_key /etc/nginx/certs/${SNI_NAME}/${KEY};

        ssl_trusted_certificate /etc/nginx/certs/${CA_CERT};
        ssl_verify_client optional;

        # Doesn't work without it
        proxy_ssl on;

        proxy_pass $name;
        proxy_protocol on;
    }
}