mtproto-ssl.nginx.conf

user www-data;
worker_processes auto;

events {
    worker_connections 4096;
}

http {
    include /etc/nginx/mime.types.conf;
    default_type application/octet-stream;

    access_log off;
    error_log /var/log/nginx/error.log;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    server {
        listen 80;
        root /opt/static/html;
    }
}

stream {
    upstream mtproto {
        server 127.0.0.1:1501;
    }

    upstream web {
        server 127.0.0.1:1502;
    }

    map $ssl_preread_protocol $upstream {
        ""        mtproto;
        "TLSv1.1" web;
        "TLSv1.2" web;
        "TLSv1.3" web;
        default   web;
    }

    server {
        listen 443;
        ssl_preread on;
        proxy_pass $upstream;
    }
}

this config doesn't work because the signature of mtproto is "TLSv1.3" and you are sending it to web traffic