# Enable SNI when proxy_pass targets an HTTPS origin by hostname. Without this,
# multi-tenant upstreams can return the wrong certificate or application.
proxy_ssl_server_name on;

# Do not force proxy_ssl_name or proxy_ssl_verify here. Those depend on whether
# the caller proxies to a hostname, an upstream block, or a private CA.