All Products
Search

This Product

    Edge Security Acceleration:Origin SNI

    Document Center

    Edge Security Acceleration:Origin SNI

    Last Updated:Jan 06, 2025

    If multiple websites are hosted on a single server with the same IP address, you must specify the SNI (Server Name Indication) when points of presence (POPs) retrieve content from the origin server over HTTPS. The origin server returns the Secure Sockets Layer (SSL) certificate of the desired domain name based on the configured SNI to ensure the correct resources are returned.

    Background information

    SNI is an extension to SSL/TLS by which a client determines which hostname it attempts to connect to at the beginning of the handshake process. SNI allows a server to present multiple SSL certificates on the same IP address. After you configure an SNI, the origin server checks the SNI information carried in the TLS handshake request initiated by an Edge Security Acceleration (ESA) POP to determine the requested domain name. Then, the origin server returns the SSL certificate of the requested domain name to the ESA POP.

    Important

    The origin server must support the parsing of the SNI information carried in a TLS handshake request.

    The following figure shows how origin SNI works:

    image

    SNI works based on the following process:

    1. When an ESA POP accesses the origin server over HTTPS, you must specify the desired domain name in the SNI. Sample domain name: example.com.

    2. The origin server returns the matching certificate based on the SNI.

    3. The ESA POP establishes a TLS connection with the origin server after receiving the certificate.

      Note

      The origin SNI is the same as the origin host by default. You can configure the origin SNI by the following steps.

    Create an origin SNI rule

    1. Log on to the ESA console.

    2. In the left-side navigation pane, click Websites.

    3. On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.

    4. In the left-side navigation pane, choose Rules > Origin Rules.

    5. Click Create Rule and enter the Rule Name.

    6. In the If requests match... section, select if you wish to apply the rule to all incoming requests or only to requests that match a custom filter expression and click Configure in the Origin SNI section. Then, enter an SNI based on your business requirements.

    7. Click OK.