# ---------------------------------------------------------------------------
# EXAMPLE: MySQL-over-TLS passthrough (or proxy-terminate) via Nginx stream
# Copy to stream.d/, change port / target / cert paths to suit your setup.
# ---------------------------------------------------------------------------

# Simple TCP proxy — Nginx *forwards TLS untouched* (preferred)
server {
    # Listen on both IPv4 & IPv6; pick any external port you like
    listen [::]:7777;          # :7777 → target:3306

    # Upstream database host:port (container name, swarm service, or IP)
    proxy_pass  db-primary:3306;

    # Enable SSL preread so Nginx can handle SNI or peek at MySQL TLS handshake
    ssl_preread on;
}

# ---------------------------------------------------------------------------
# OPTIONAL: If you want Nginx to **terminate** TLS and talk plain TCP
# to the backend (rare for MySQL but possible), uncomment this variant.
#
# server {
#     listen [::]:7777 ssl;
#
#     ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
#     ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
#
#     proxy_pass          db-primary:3306;
#
#     # Since Nginx ends TLS, no ssl_preread here
# }
# ---------------------------------------------------------------------------