If multiple domain names are bound to the same origin IP address, you must specify the domain name to be accessed (the origin SNI) when a point of presence (POP) accesses the origin server over HTTPS. The origin server then returns the SSL certificate for the corresponding domain name based on the SNI to ensure a successful origin fetch.
Background
Server Name Indication (SNI) is an extension to the SSL/TLS protocol that allows a server to present multiple SSL certificates on a single IP address. This allows an HTTPS server that hosts multiple domain names to identify which domain a client is requesting. After you enable SNI, when an Edge Security Acceleration (ESA) POP sends a TLS handshake request to the origin server, the origin server uses the SNI information in the request to identify the requested domain name and returns the correct SSL certificate to the POP.
The origin server must support parsing the SNI information contained in TLS handshake requests.
The following figure shows how origin SNI works.
The following steps describe how origin SNI works:
When a POP accesses the origin server over HTTPS, you must specify the domain name to access in the SNI. For example, example.com.
After the origin server receives the request, it returns the certificate for the domain name specified in the SNI. For example, the certificate of example.com.
The POP receives the certificate and establishes a secure connection with the server.
Default configurations: By default, the origin SNI is the same as the origin HOST. To set the origin SNI to a value different from the origin HOST, you can follow the steps below.
Create an origin SNI rule
In the ESA console, select Websites. In the Website column, click the target site.
In the navigation pane on the left, choose .
Click Create Rule and enter a Rule Name.
In the If requests match... section, set the conditions to match user requests. For more information about how to configure rules, see Composition of a rule expression.
In the Origin SNI section, click Configure and set the Origin SNI value.
Click OK.
References
Rule-related features vary in execution priority, rule behavior, and configuration scope. For more information, see How ESA rules take effect.