TLS lazyweb: does SNI work such that you can proxy it? One process accepts connection, but doesn't have any keys, and forwards to the right backend based on name?
This is both a practical and theoretical question. Practical: openssl s_server doesn't do SNI, but maybe a trivial proxy could. Theoretical: keys for different sites behind same public IP should not be accessible to the process (or even host) accepting connections.