diff --git a/d1/nginx_config.py b/d1/nginx_config.py
index 24171be..0242798 100644
--- a/d1/nginx_config.py
+++ b/d1/nginx_config.py
@@ -294,17 +294,48 @@ server {
               )
         )
 
+    if 'stream_server' in ssl_nginx:
+        stream_server = r'''
+stream {
+    upstream web {
+        server {web};
+    }
+
+    map $ssl_preread_protocol $upstream {
+        default ssh;
+        "TLSv1.2" web;
+        "TLSv1.3" web;
+    }
+
+    # SSH and SSL on the same port
+    server {
+        listen 443;
+
+        proxy_pass $upstream;
+        ssl_preread on;
+    }
+}
+        '''.replace(
+            '{web}', str(ssl_nginx['stream_server'])[:256]
+        )
+    else:
+        stream_server = ''
+
     with io.open(
         output_conf,
         'w'
     ) as f:
         f.write(
             r'''
+load_module "modules/ngx_stream_module.so";
+
 events {
   multi_accept on;
   worker_connections 64;
 }
 
+{stream_server}
+
 http {
   log_format main
   '[$time_local][$remote_addr:$remote_port, $http_x_forwarded_for, $t1, $http_host]'
@@ -325,7 +356,9 @@ http {
     '' close;
   }
 }
-            '''.replace('{servers}', '\n'.join(servers))
+            '''\
+                .replace('{servers}', '\n'.join(servers)) \
+                .replace('{stream_server}', stream_server)
         )
 
 
diff --git a/docker/ssl-app/Dockerfile b/docker/ssl-app/Dockerfile
index dbb80da..9cff6e7 100644
--- a/docker/ssl-app/Dockerfile
+++ b/docker/ssl-app/Dockerfile
@@ -7,6 +7,7 @@ RUN apk add nginx
 RUN apk add tini
 #RUN pip3 install requests certbot
 RUN apk add certbot
+RUN apk add nginx-mod-stream
 
 WORKDIR /app