TLS routing notes from running several domains on one host
When several hostnames share a single server, the cleanest setup is usually to keep public entry points small and route by SNI before a connection reaches the application layer.
Things to document
- Which process owns the public port.
- Which internal ports are used by backend services.
- How certificates are issued and renewed.
- How to recover if the front proxy fails to reload.
Routing works best when every backend has a clear owner and every generated config file has a short note explaining why it exists.