diff --git a/nginx.py b/nginx.py
index d04f44a..4a9c48c 100644
--- a/nginx.py
+++ b/nginx.py
@@ -26,6 +26,26 @@ def dump_config(vmList, masterAddress):
             [ f.write(c) for c in vmo.dumpIptables(remove=True)]
 
     with open("/etc/nginx/stream_include.conf", "w") as f:
+        
+        # ssl passthrough/no-terminate #
+        ssl_passthrough_map = []
+        for vmo in vmList:
+            relevant_subdomains = filter(lambda x: x.get("no-terminate-ssl"), vmo.subdomains)
+            for s in relevant_subdomains:
+                print(s)
+                # build the map contents #
+                if s.get("include-subdomains"):
+                    match = "~.*{}".format(s.get("name"))
+                else:
+                    match = s.get("name")
+
+                ssl_passthrough_map.append("{} {}:443;".format(match, vmo.ip))
+
+        environment = jinja2.Environment(loader=jinja2.FileSystemLoader(searchpath="./templates"))
+        template = environment.get_template("nginx_stream_ssl_map.conf.j2")
+        f.write(template.render(ssl_passthrough_map=ssl_passthrough_map))
+
+
         for vmo in vmList:
             [ f.write(c) for c in vmo.dumpStreamComponents()]
         for vmo in set(vmList):
diff --git a/templates/nginx_server_block.conf.j2 b/templates/nginx_server_block.conf.j2
index 4080773..b023785 100644
--- a/templates/nginx_server_block.conf.j2
+++ b/templates/nginx_server_block.conf.j2
@@ -2,8 +2,8 @@ server{
 
     # {{ comment }}
     
-    listen 443 ssl;
-    listen [::]:443 ssl;
+    listen 10443 ssl;
+    listen [::]:10443 ssl;
 
     {% if servernames %}server_name{% for s in servernames %} {{ s }}{% endfor %};{% endif %}
 
diff --git a/templates/nginx_stream_ssl_map.conf.j2 b/templates/nginx_stream_ssl_map.conf.j2
new file mode 100644
index 0000000..2caff4a
--- /dev/null
+++ b/templates/nginx_stream_ssl_map.conf.j2
@@ -0,0 +1,18 @@
+map $ssl_preread_server_name $proxy_name {
+    default 127.0.0.1:10443;
+    {% for line in ssl_passthrough_map %}
+    {{ line }}
+    {% endfor %}
+}
+
+server {
+
+    listen 443 ;
+    listen [::]:443 ;
+
+    proxy_timeout 5m;
+    proxy_responses 1;
+    ssl_preread on;
+    proxy_pass $proxy_name;
+    
+}
diff --git a/vm.py b/vm.py
index 1c9b4a3..49b512a 100644
--- a/vm.py
+++ b/vm.py
@@ -129,6 +129,10 @@ class VM:
 
         for subdomain in self.subdomains:
 
+            if subdomain.get("no-terminate-ssl"):
+                print("Not terminating TLS for: {}".format(subdomain))
+                continue
+
             if type(subdomain) != dict:
                 raise ValueError("Subdomain must be object containing 'name' ")