I’m maintaining a bunch of servers and, where possible, services are moved into containers.

Ideally those containers do their own SSL handling when listening on ports and in case of heavily overloaded services – such as https, since every domain comes with a webserver these days, there needs to be some de-multiplexing in the frontend.

For this purpose I use a reverse SSL proxy that checks the SNI field in the connection (so, Windows XP is out. I’m not sorry.) and routes the connection to some backend service.

There’s a catch to be aware of when doing this: http2 client implementations use SSL certificate information to optimize connections: when a cert claims responsibility for multiple domains, some clients (eg Firefox or Chrome) assume that they can use the same http2 connection for requests to either domain.

That explodes if the connection was routed to a backend for one domain, while another backend is responsible for another: they don’t know about "other services" (that’s what containerization is for, after all), and in the best case say as much (http2 response code 421) or in the worst case ignore the domain mismatch in the request.