为解析服务器IP的所有服务器名称提供Nginx SSL证书

鉴于我在DNS中配置了2个子域(因此同时使用我的服务器的IP地址同时回复两者),对于这些子域,我有2个不同的TLS证书.

我用这种方式配置了nginx：

# If we receive X-Forwarded-Proto,pass it through; otherwise,pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}

# If we receive Upgrade,set Connection to "upgrade"; otherwise,delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  ''      '';
}

gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

access_log /var/log/nginx.log;
error_log /var/log/nginx_errors.log;

# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;

server {
  listen 80 default_server;
  server_name _; # This is just an invalid value which will never trigger on a real hostname.
  return 503;
  server_tokens off; # Hide the nginx version
}


upstream sub1.domain.tld {
  server 172.17.0.27:5000;
}

server {
  server_name sub1.domain.tld;
  server_tokens off; # Hide the nginx version

  listen 443 ssl;
  ssl_certificate /etc/nginx/ssl/sub1.domain.tld.crt;
  ssl_certificate_key /etc/nginx/ssl/sub1.domain.tld.key;

  location / {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/htpasswd/sub1.htpasswd;
    proxy_pass http://sub1.domain.tld;
  }
}

此时,如果我转到https：//sub1.domain.tld,一切正常.
现在,如果我尝试访问尚未配置的https：//sub2.domain.tld,所以不应该回复它接受连接并告诉我证书的问题,因为它与服务器名称不匹配,所以看起来好像使用此配置,Nginx将所有请求的证书发送到443端口.

我应该如何更改配置以便访问https：//sub2.domain.tld失败(例如503错误),直到我通过添加新服务器指令进行配置为止？