| 1. Front LB (co-located with unmask) + backend app — unmask terminates TLS |
| ★●LB nginx (native) → httpd | yes | none (plugin computes it) |
| ★●LB nginx (forward-auth) → httpd | no | — nothing parses the ClientHello |
| ★●LB apache (forward-auth) → httpd | no | — |
| 2. App-direct — unmask terminates TLS |
| ★●nginx (native) | yes | none |
| ★●nginx (forward-auth) | no | — |
| ★●apache (forward-auth) | no | — |
| 3. Front CDN / LB terminates TLS (Cloudflare / GCP HTTPS LB / AWS ALB·CloudFront, …) + backend app |
| ★CDN → ●LB nginx (native) → httpd | yes | select under “trusted LB / CDN” |
| ★CDN → ●LB nginx (forward-auth) → httpd | yes | select under “trusted LB / CDN” |
| ★CDN → ●LB apache (forward-auth) → httpd | yes | select under “trusted LB / CDN” |
| 4. Front CDN / LB terminates TLS + unmask direct |
| ★CDN → ●nginx (native) | yes | select under “trusted LB / CDN” |
| ★CDN → ●nginx (forward-auth) | yes | select under “trusted LB / CDN” |
| ★CDN → ●apache (forward-auth) | yes | select under “trusted LB / CDN” |