If your origin IP address is bound to multiple domains, you must configure a back-to-origin Server Name Indication (SNI) to your domain to ensure that the CDN node is able to access your origin site over HTTPS.

Background information

SNI is an extension of Transport Layer Security (TLS) by which a client determines which hostname it is attempting to connect to at the beginning of the handshake process. This allows a server to present multiple certificates on the same IP address and TCP port number. This also allows multiple HTTPS websites (or any other service over TLS) that have different certificates to be served by the same IP address.

If your origin server uses a single IP address to provide HTTPS services for multiple domains and port 443 is specified for receiving back-to-origin traffic on your CDN, you must configure the back-to-origin SNI of a specific domain. In this way, when a CDN node requests to access your origin server over HTTPS, the server can return the correct certificates of the requested domains.
Note If your origin is Alibaba Cloud OSS, you do not need to configure the back-to-origin SNI.
The following figure shows the working principles of back-to-origin SNI.
Working principles
  1. The CDN node requests to access the origin server over HTTPS, where the requested domain is specified in the SNI.
  2. After receiving the request, the origin server sends the certificate of the requested domain to the CND node.
  3. After receiving the certificate, the CDN node establishes a secure connection to the origin server.


  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the target domain name and click Manage.
  4. In the left-side navigation pane of the specified domain, click Back-to-origin.
  5. In the Origin SNI section, click Modify.

    Origin SNI
  6. Turn on Origin SNI, and enter the name of the domain served by your origin server.
  7. Click OK.