Not an eng at Fly, but I’d imagine, with SNI-based routing on TLS v1.2 things are simpler still, but ECH (encrypted client hello) that’s now part of the TLS v1.3 standard, makes this setup a bit more involved: (from what I know, to support ECH) Fly must also host the DNS nameserver for the host being identified by the now-encrypted SNI field: Terminate multiple TLS domains, with both Fly and custom certificates - #2 by ignoramous
Also, I am not quite sure if various ALPNs complicate things for SNI-driven routes.
QUIC support is another area of concern for reverse-proxies. So you may argue that things aren’t getting any simpler for Fly, anyways…