diff --git a/proxy/src/auth/backend/link.rs b/proxy/src/auth/backend/link.rs
index e588f67693..da43cf11c4 100644
--- a/proxy/src/auth/backend/link.rs
+++ b/proxy/src/auth/backend/link.rs
@@ -86,8 +86,17 @@ pub(super) async fn authenticate(
         .host(&db_info.host)
         .port(db_info.port)
         .dbname(&db_info.dbname)
-        .user(&db_info.user)
-        .ssl_mode(SslMode::Require); // we need TLS connection with SNI to properly route it
+        .user(&db_info.user);
+
+    // Backwards compatibility. pg_sni_proxy uses "--" in domain names
+    // while direct connections do not. Once we migrate to pg_sni_proxy
+    // everywhere, we can remove this.
+    if db_info.host.contains("--") {
+        // we need TLS connection with SNI info to properly route it
+        config.ssl_mode(SslMode::Require);
+    } else {
+        config.ssl_mode(SslMode::Disable);
+    }
 
     if let Some(password) = db_info.password {
         config.password(password.as_ref());