Code Room
System designMedium
Question
Design a TLS-terminating reverse proxy / ingress edge for a SaaS that serves thousands of customer custom domains (vanity domains like app.customer.com) with per-domain certificates, auto-renewed. It terminates TLS, then forwards to internal services over mTLS. Explain certificate storage and selection at handshake time, how you handle 10k+ certs without bloating memory, and how you forward client identity safely to the backend.
What a strong answer looks like
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.