Is there an elegant way to proxy to upstream HTTPS?

[photomoose]

I want to be able to proxy inbound requests from the internet to a Kubernetes ingress/gateway. The ingress itself is not publicly exposed, all inbound requests from the internet are routed to NPM.

The Kubernetes ingress manages TLS (via cert-manager/LetsEncrypt) and exposes services internally on port 443. The ingress routes requests to the appropriate backend service in Kubernetes based on the host header and/or URL path in the HTTP request.

The basic setup is as follows:

1. Request is made to https://some-service.my-domain.com, which is routed to NPM and which also terminates the TLS.
2. NPM establishes a new TLS connection and makes a request to https://some-service.k8s.my-domain.com, which is routed to the Kubernetes ingress and onto the backend service.

In order for point 2 to work, the host header in the request to Kubernetes needs to be the internal URL (e.g. https://some-service.k8s.my-domain.com) and not the public URL, as the certificates will not match (SSL handshake error) and the ingress routing will not work.

I can achieve such behaviour by adding the following in the Customer Nginx Configuration box:

  location / {
    proxy_pass $forward_scheme://$server;
    proxy_ssl_server_name on;
    proxy_ssl_session_reuse off;
  }

...but then any access rules configured in the UI do not take effect. (I know I can manually add them in the above block, but it makes the UI inconsistent).

I've tried adding some directives in the Custom Locations box, but it looks like the template still sets the host header to the public URL regardless, and so the proxy does not work.

Is there a better way of doing this which still maintains the functionality of the UI, such as access lists etc?