All Products
Search
Document Center

Dynamic Content Delivery Network:Configure SNI

Last Updated:Jan 04, 2024

If the IP address of your origin server is associated with multiple domain names and requests are redirected to the origin server over HTTPS, you need to configure the Server Name Indication (SNI) feature for the origin server. SNI specifies the domain name for which requests are destined and enables the server to return the correct certificate.

Background information

SNI is an extension of the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols by which a client determines which hostname it is attempting to connect to at the beginning of the handshake process. SNI allows a server to present multiple SSL certificates on the same IP address. After you enable SNI, when a point of presence (POP) sends a TLS handshake request to the origin server, the origin server determines the requested domain name based on the SNI information that is provided by the TLS handshake request. Then, the origin server returns the correct SSL certificate.
Important
  • The origin server must be capable of parsing the SNI information that is provided by the TLS handshake request from POPs.
  • If multiple origin servers are configured for an accelerated domain name, you can configure the origin SNI feature in the Alibaba Cloud CDN console. This way, all back-to-origin requests point to the domain name that corresponds to the SNI value. If you want to specify different SNI values for different origin servers, submit a ticket.

The following figure shows how origin SNI works. How origin SNI works

Origin SNI works based on the following process:
  1. A POP redirects a request to the origin server over HTTPS. The domain name for which the request is destined is specified by SNI.
  2. After the origin server receives the request, it responds with the certificate of the requested domain name based on SNI.
  3. After the POP receives the certificate, the POP establishes a secure connection to the origin server.

Procedure

  1. Log on to the DCDN console.

  2. In the left-side navigation pane, click Domain Names.

  3. On the Domain Names page, find the domain name whose acceleration region you want to change and click Configure.
  4. In the left-side navigation tree of the domain name, click Origin Fetch.

  5. On the Origin Fetch tab, find Origin SNI.

  6. Turn on Origin SNI and enter the domain name from which clients can retrieve resources, for example, dcdn.console.aliyun.com.

    Note

    SNI supports only specific domain names. Wildcard domain names are not supported.

    Origin SNI

  7. Click OK.