If the IP address of your origin server is associated with multiple domain names, and requests are redirected to the origin server over HTTPS (port 443), you must configure the Server Name Indication (SNI) feature for the origin server. SNI specifies the domain name for which requests are destined, and enables the server to return the correct certificate.

Background information

SNI is an extension of Transport Layer Security (TLS) and Secure Sockets Layer (SSL) by which a client determines which hostname it is attempting to connect to at the beginning of the handshake process. SNI allows a server to present multiple SSL certificates on the same IP address. After SNI is enabled, the server retrieves resources from the specified domain name and returns the correct SSL certificate to the client based on the SNI settings when a client initiates a handshake request.

  • SNI is also required when requests are redirected to the origin server over HTTPS.
  • The origin server must be capable of parsing SNI information provided by the TLS handshake request from CDN nodes.
The following figure shows how SNI works. How SNI works
SNI works based on the following process:
  1. A CDN node redirects a request to the origin server over HTTPS. The domain name for which the request is destined is specified by SNI.
  2. After the origin server receives the request, it responds with the certificate of the requested domain name based on SNI.
  3. After the CDN node receives the certificate, it establishes a secure connection to the origin server.


  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column of the domain name.
  4. In the management pane of the domain name, click Back-to-origin.
  5. On the Configurations tab, find the Origin SNI section and click Modify.
  6. In the Origin SNI dialog box, turn on Origin SNI and enter the domain name from which clients can retrieve resources, for example, cdn.console.aliyun.com.
    • SNI supports only specific domain names. Wildcard domain names are not supported.
    • If the accelerated domain name is a wildcard domain name, and back-to-origin routing uses the HTTPS protocol, you can configure SNI to specify the domain names that want to retrieve resources from the origin server. You can submit a ticket to request Alibaba Cloud to configure relevant settings.
    Configure SNI
  7. Click OK.