diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go
index 935f8dcdd6..36d6f77df1 100644
--- a/internal/ingress/controller/nginx.go
+++ b/internal/ingress/controller/nginx.go
@@ -714,7 +714,7 @@ func (n *NGINXController) setupSSLProxy() {
 			}
 
 			glog.V(3).Infof("Handling connection from remote address %s to local %s", conn.RemoteAddr(), conn.LocalAddr())
-			go n.Proxy.Handle(conn)
+			go n.Proxy.Handle(conn, n.runningConfig)
 		}
 	}()
 }
diff --git a/internal/ingress/controller/tcp.go b/internal/ingress/controller/tcp.go
index cfaca7b209..88c467df09 100644
--- a/internal/ingress/controller/tcp.go
+++ b/internal/ingress/controller/tcp.go
@@ -24,6 +24,7 @@ import (
 	"github.com/golang/glog"
 
 	"github.com/paultag/sniff/parser"
+	"k8s.io/ingress-nginx/internal/ingress"
 )
 
 // TCPServer describes a server that works in passthrough mode.
@@ -57,9 +58,10 @@ func (p *TCPProxy) Get(host string) *TCPServer {
 
 // Handle reads enough information from the connection to extract the hostname
 // and open a connection to the passthrough server.
-func (p *TCPProxy) Handle(conn net.Conn) {
+func (p *TCPProxy) Handle(conn net.Conn, config *ingress.Configuration) {
 	defer conn.Close()
 	data := make([]byte, 4096)
+	remoteAddr := conn.RemoteAddr().(*net.TCPAddr)
 
 	length, err := conn.Read(data)
 	if err != nil {
@@ -79,6 +81,36 @@ func (p *TCPProxy) Handle(conn net.Conn) {
 		return
 	}
 
+	for _, server := range config.Servers {
+		if server.Hostname != hostname {
+			continue
+		}
+
+		if !server.SSLPassthrough {
+			continue
+		}
+
+		check := false
+		for _, location := range server.Locations {
+			for _, CIDR := range location.Whitelist.CIDR {
+				_, network, err := net.ParseCIDR(CIDR)
+				if err != nil {
+					glog.Fatalf("%v", err)
+				}
+
+				if network.Contains(net.ParseIP(remoteAddr.IP.String())) {
+					check = true
+					break
+				}
+			}
+		}
+		if !check {
+			glog.V(4).Infof("Whitelisting is not allowing this connection.")
+			return
+		}
+		break
+	}
+
 	clientConn, err := net.Dial("tcp", fmt.Sprintf("%s:%d", proxy.IP, proxy.Port))
 	if err != nil {
 		return
@@ -88,7 +120,7 @@ func (p *TCPProxy) Handle(conn net.Conn) {
 	if proxy.ProxyProtocol {
 		// write out the Proxy Protocol header
 		localAddr := conn.LocalAddr().(*net.TCPAddr)
-		remoteAddr := conn.RemoteAddr().(*net.TCPAddr)
+
 		protocol := "UNKNOWN"
 		if remoteAddr.IP.To4() != nil {
 			protocol = "TCP4"
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 3688b6ed43..c60e1e6e75 100644
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -251,10 +251,13 @@ http {
 
     # The following is a sneaky way to do "set $the_real_ip $remote_addr"
     # Needed because using set is not allowed outside server blocks.
-    map '' $the_real_ip {
+    map $scheme $the_real_ip {
     {{ if $cfg.UseProxyProtocol }}
         # Get IP address from Proxy Protocol
         default          $proxy_protocol_addr;
+    {{ else if $all.IsSSLPassthroughEnabled }}
+        https            $proxy_protocol_addr;
+        default          $remote_addr;
     {{ else }}
         default          $remote_addr;
     {{ end }}