How to pass through SSL traffic on nginx based on SNI?

In my current nginx configuration, I have multiple

server {
  listen *:443;
  servername my_server_name;
  ...
}

blocks. These blocks are managed by third party software and cannot be changed by me.

I can easily add another domain which is ssl-terminated by nginx by adding another block.

However, I would like to add a domain which is not ssl-terminated on this nginx server, but passed through to another host, which does the ssl termination. It should be SNI-detected, just like the other server_name configurations.

I thought of something like:

server {
    listen *:443;
    server_name my_project.org;
    proxy_pass 10.1.1.3:443;
}

However, this results in a proxy_pass is not allowed here error.

I have read about the stream module and stream ssl preread module, but couldn't really figure out how to combine this with existing (non-changeable) nginx server-blocks.

http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass tells that proxy_pass is allowed in location, if in location and limit_except sections.

However, if you use server block with TLS, the server always terminates TLS.

In order to pass TLS through, you need to use the stream module.