I suppose you'll only leave proxy.config.http.server_ports 443:ssl in records.config
What about the default certificate that records.config still configures?
It needs to be configured if one really wants SSL enabled, even if all of the real hosts are taken care of by ssl_multicert.config.
Now, in certain cases this might even make sense - someone accesses a proxy via HTTPS, asking for a host this proxy does not serve. Do we terminate the TLS session? Do we finish the TLS handshake offering a default certificate and returning the RFC compliant 400 HTTP code?
Here's what we do now, which begs the question why, exactly, we need the default certificate:
i.galic@pheme ~ % curl -vk -H'Host: this-is-a-bad-example.at' https://18.104.22.168:443/
* About to connect() to 22.214.171.124 port 443 (#0)
* Trying 126.96.36.199... connected
* Connected to 188.8.131.52 (184.108.40.206) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to 220.127.116.11:443
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to 18.104.22.168:443
35 i.galic@pheme ~ %