Pass HTTPS certificates from downstream servers through NGINX proxy to client

I have a fleet of Ubuntu edge computers that host simple web HMI servers. Many are behind dynamic IPs where port forwarding is unavailable.

So, to access them each uses autossh to create a reverse tunnel into a central cloud proxy server. I can then access each one with https://proxy.mydomain.com:6001, 6002, etc. This is working.

I now want to use NGINX so that we don't have to remember the port numbers. So, each facility would have it's own subdomain: https://site1.mydomain.com, site2, etc. All subdomains would point to my proxy server. NGINX should then look at the subdomain, and proxy https traffic to the appropriate reverse tunnel port.

NGINX config is shown below.

My issue at this point is that NGINX wants me to define an SSL certificate. However, I would like to use the certificates already installed on each of the edge computers.

So, how would I go about passing those certificates through the NGINX proxy to the client?

If this isn't possible - whats the best way to define one or separate certificates on the proxy server that can be used for all of the sub-domains?

server {
    listen 443 ssl;
    server_name site1.mydomain.com;
    location / {
        proxy_set_header Host $host;
        proxy_pass https://127.0.0.1:6001;
        proxy_ssl_server_name on;
        proxy_redirect off;
    }
}

server {
    listen 443 ssl;
    server_name site2.mydomain.com;
    location / {
        proxy_set_header Host $host;
        proxy_pass https://127.0.0.1:6002;
        proxy_ssl_server_name on;
        proxy_redirect off;
    }
}

UPDATE To those curious, I was able to use the "SNIProxy" project instead of NGINX and solved this issue. HTTPS certs passed through with no problem.

You could use a wildcard certificate *.mydomain.com for your proxy.
This private-key + certificate would work for any subdomain.
Either free from let's encrypt (certbot) or paid from a CA like digicert.

You can use the stream module to pass through the TLS protocol as-is to the clients.

I haven't used this configuration myself, so it might not be 100% accurate, but should show the principles.

stream {
    listen 443;
    ssl_preread on;
    proxy_connect_timeout 1s;
    proxy_timeout 3s;
    proxy_pass $upstream;
}

map $ssl_preread_server_name $upstream {
    site1.example.com 127.0.0.1:6001;
    site2.example.com 127.0.0.2:6002;
    default site1;
}

In the stream block, we enable the pre-reading of SSL protocol data. Nginx extracts the SNI field into $ssl_preread_server_name variable.

We use map feature to convert the pre read server name to destination. Then the destination is used as stream module proxy_pass destination.

Here nginx only reads the hostname for the SSL connection, and then proxies the TCP connection to the destination for that hostname.

put this to the root of nginx.conf and make sure the nginx stream module is installed (eg.: yum install nginx-mod-stream)

 stream {
    server {
        listen 443;
        ssl_preread on;
        proxy_connect_timeout 1s;
        proxy_timeout 3s;
        proxy_pass $upstream;
    }

    upstream site1 {
        server https://127.0.0.1:6001;
    }

    upstream site2 {
        server https://127.0.0.1:6002;
    }

    map $ssl_preread_server_name $upstream {
        www.domain1.online site1;
        www.domain2.online site2;
        default site1;
    }
}