If the IP address of your origin server is associated with multiple domain names, and requests are redirected to the origin server over HTTPS (port 443), you can configure the origin Server Name Indication (SNI) feature for the origin server. Origin SNI specifies the domain name to which requests are destined, and allows the server to return the certificate.

Background information

SNI is an extension to Transport Layer Security (TLS) and Secure Sockets Layer (SSL) by which a client determines which hostname it attempts to connect to at the beginning of the handshake process. SNI allows a server to present multiple SSL certificates on the same IP address. After origin SNI is enabled, the server retrieves resources from the specified domain name and returns the SSL certificate to the client based on the origin SNI settings when a client initiates a handshake request.

Notice
  • The origin server must be able to parse SNI information provided by the TLS handshake request from Alibaba Cloud Dynamic Route for CDN (DCDN) nodes.
  • If multiple origin servers are configured for an accelerated domain name, you can configure the Origin SNI feature in the console. After you configure the Origin SNI feature in the console, all back-to-origin requests point to the domain name that is indicated by the SNI value. If you want to specify different SNI values for different origin servers, submit a ticket.
The following figure shows how origin SNI works. How origin SNI works
Origin SNI works based on the following process:
  1. A DCDN node redirects a request to the origin server over HTTPS. The domain name for which the request is destined is specified by SNI.
  2. After the origin server receives the request, it returns the certificate of the requested domain to the DCDN node.
  3. After the DCDN node receives the certificate, it establishes a secure connection with the origin server.

Procedure

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage, and click Configure in the Actions column.
  4. In the left-side navigation pane on the details page of the specified domain name, click Origin Fetch.
  5. On the Origin Fetch tab, find Origin SNI.
  6. Turn on Origin SNI and enter the domain name from which clients can retrieve resources, for example, dcdn.console.aliyun.com.
    Note SNI supports only specific domain names. Wildcard domain names are not supported.
    Configure origin SNI
  7. Click OK.