Since a few days ago, GitHub sends the Client Hello fragmented in a few TCP packets of 1 byte, then one TCP packet with the rest of the Client Hello. I have no idea why, it seems to be random, affecting about 5% of the webhook deliveries.

See this wireshark capture: there's a few 1-byte packets, then the packet with id 5793 sends the rest of the Client Hello:

The TCP proxy is doing a single TCP Read() call to read the Client Hello, here.

This read is receiving only the 1st byte. This causes parser.GetHostname(data) to fail, which causes the TCP connection to be incorrectly routed to nginx, instead of to the TLS passthrough destination. nginx-ingress doesn't have the certificate for this host, causing the TLS handshake to fail.

I'm not sure how to fix this. Seems the proxy should read in a loop until it's received the whole Client Hello?