SSL Passthrough is is not working for server alias, but only for host - kubernetes ingress NGINX

Question

I created a Kubernetes ingress object with the following configuration. It has one host and one alternate server name (server alias).

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/server-alias: 130.35.17.47
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  rules:
  - host: hostname
    http:
      paths:
      - backend:
          service:
            name: servname
            port:
              number: 80
        path: /

The pod configured to the service servname has a certificate with subject *.mycompany.com.

Does passthrough only work for hostname and NOT for server aliases?

Correct response and cert URL with hostname

When I issued a request using hostname in the URL (for example https://hostname/abcd), the certificate I see is with subject *.mycompany.com as expected. SSL passthrough is working here.

Certificate is incorrect for URL with IP address

BUT, when the request is issued to the IP address specified in the URL like https://130.35.17.47/abcd, although the response is correct, I see the default certificate CN=Kubernetes Ingress Controller Fake Certificate, but not *.mycompany.com.

Both Cert and response are incorrect after removing "backend-protocol" annotation

Also, when I remove the backend-protocol annotation, I don't get any valid response. This is the response:

* Connected to 130.35.17.47 (130.35.17.47) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  start date: Mar 30 11:00:08 2022 GMT
*  expire date: Mar 30 11:00:08 2023 GMT
*  issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fe971012200)
> GET /osa/login.html HTTP/2
> Host: 130.35.17.47
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 000 
< date: Fri, 13 May 2022 21:35:08 GMT
< strict-transport-security: max-age=15724800; includeSubDomains
< 
Warning: Binary output can mess up your terminal. Use "--output -" to tell 
Warning: curl to output it to your terminal anyway, or consider "--output 
Warning: <FILE>" to save to a file.
* Failure writing output to destination
* stopped the pause stream!

The corresponding error message in nginx pod log is:

upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 127.0.0.1, server: hostname, request: "GET /abcd HTTP/2.0", upstream: "http://10.244.1.119:9443/abcd", host: "130.35.17.47"

127.0.0.1 - - [13/May/2022:21:35:08 +0000] "GET /abcd HTTP/2.0" 009 7 "-" "curl/7.81.0" 41 0.003 [] 10.244.1.119:9443 7 0.003 200 94e8aac6d1d7ce20b705c43ad0688b32

Additional details:

• I enabled SSL passthrough as is evident from the response with hostname based URL.