Conversation

Replying to and
In theory, I think preread could support it by dealing with ECH (encrypted ClientHello) on the reverse proxy without it terminating TLS. At the moment, ESNI/ECH support requires out-of-tree patches. As far as I can tell, Cloudflare never published their patches for nginx.
1
Replying to and
ECH requires an HTTPS DNS record to act as a SRV record providing the public key for ECH. ESNI used a comparable approach. It's a bit odd now. The record essentially replaces A, AAAA, SRV, deals with ECH and also protocol negotiation for HTTP/3. Mostly not really available yet.
1
Show replies