diff --git a/roles/dbscripts/templates/nginx.d.conf.j2 b/roles/dbscripts/templates/nginx.d.conf.j2
index c629c1b9230cf4a26c165e56bf186bec6de90682..2943dcc82d224f4da4f9c79df96f2fe64366456d 100644
--- a/roles/dbscripts/templates/nginx.d.conf.j2
+++ b/roles/dbscripts/templates/nginx.d.conf.j2
@@ -47,14 +47,16 @@ server {
     }
 
     location = /devel/mirrorauth/ {
+        # Authentication to archweb
         internal;
+        proxy_pass https://archlinux.org;
 
         # Do not pass the request body, only http authorisation header is required
         proxy_pass_request_body off;
         proxy_set_header        Content-Length "";
 
         # Proxy headers
-        proxy_set_header        Host                    "archlinux.org";
+        proxy_set_header        Host                    $proxy_host;
         proxy_set_header        X-Sent-From             "{{ vault_archweb_x_sent_from_secret }}";
 
         # Cache responses from the auth proxy
@@ -66,9 +68,12 @@ server {
         proxy_cache_use_stale         updating;
         proxy_cache_background_update on;
 
-        # Authentication to archweb
-        proxy_pass https://archlinux.org;
-        proxy_ssl_verify on;
+        # Verify destination TLS cert
+        proxy_ssl_verify              on;
         proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+
+        # Send SNI with TLS handshake
+        proxy_ssl_server_name         on;
+        proxy_ssl_name                $proxy_host;
     }
 }