diff --git a/apisix/cli/ngx_tpl.lua b/apisix/cli/ngx_tpl.lua
index dab32d02083d..78693439dead 100644
--- a/apisix/cli/ngx_tpl.lua
+++ b/apisix/cli/ngx_tpl.lua
@@ -176,6 +176,10 @@ http {
     lua_ssl_verify_depth 5;
     ssl_session_timeout 86400;
 
+    {% if http.proxy_ssl_server_name then %}
+    proxy_ssl_server_name on;
+    {% end %}
+
     {% if http.underscores_in_headers then %}
     underscores_in_headers {* http.underscores_in_headers *};
     {%end%}
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
index ed8ec4c07402..d0f58201ecac 100644
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@@ -180,6 +180,8 @@ nginx_config:                     # config for render the template to generate n
     # lua_shared_dicts:            # add custom shared cache to nginx.conf
     #  ipc_shared_dict: 100m       # custom shared cache, format: `cache-key: cache-size`
 
+    proxy_ssl_server_name: true    # Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) when establishing a connection with the proxied HTTPS server.
+
 etcd:
   host:                           # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
     - "http://127.0.0.1:2379"     # multiple etcd address, if your etcd cluster enables TLS, please use https scheme,
diff --git a/t/core/proxy_ssl.t b/t/core/proxy_ssl.t
new file mode 100644
index 000000000000..ed32572958ec
--- /dev/null
+++ b/t/core/proxy_ssl.t
@@ -0,0 +1,76 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+log_level("info");
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: add route
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                 ngx.HTTP_PUT,
+                 [[{
+                        "methods": ["GET"],
+                        "plugins": {
+                            "proxy-rewrite": {
+                                "scheme": "https"
+                            }
+                        },
+                        "upstream": {
+                            "nodes": {
+                                "127.0.0.1:1983": 1
+                            },
+                            "type": "roundrobin"
+                        },
+                        "uri": "/hello"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 2: get upstream carrying host
+--- http_config
+proxy_ssl_server_name on;
+--- more_headers
+host: wrong.com
+--- request
+GET /hello
+--- error_code: 502
+--- error_log
+ssl