I don't see why this uses ssl_preread, since it does terminate the TLS and then just uses $ssl_server_name (as opposed to $ssl_preread_server_name) anyway.
Also, it seems to be reimplementing stunnel in nginx. I'm not sure why, as opposed to just using stunnel.