If multiple websites are hosted on a single server with the same IP address, you must specify the Server Name Indication (SNI) when points of presence (POPs) retrieve content from the origin server over HTTPS. The origin server returns the Secure Sockets Layer (SSL) certificate of the desired domain name based on the configured SNI to ensure the correct resources are returned.
How it works
SNI is an extension to SSL/TLS by which a client determines which hostname it attempts to connect to at the beginning of the handshake process. SNI allows a server to present multiple SSL certificates on the same IP address.
After you configure an SNI, the origin server checks the SNI information carried in the TLS handshake request initiated by an Edge Security Acceleration (ESA) POP to determine the requested domain name. Then, the origin server returns the SSL certificate of the requested domain name to the ESA POP.
The origin server must support the parsing of the SNI information carried in a TLS handshake request.
The following figure shows how origin SNI works:
SNI works based on the following process:
When an ESA POP accesses the origin server over HTTPS, you must specify the desired domain name in the SNI. Sample domain name: example.com.
The origin server returns the matching certificate based on the SNI.
The ESA POP establishes a TLS connection with the origin server after receiving the certificate.
NoteThe origin SNI is the same as the origin host by default. You can also configure the origin SNI by the following steps.
Create an origin SNI rule
In the ESA console, choose Websites and click the website name you want to manage.
In the left-side navigation pane, choose .
Click Create Rule, and fill in the Rule Name.
In the If Requests Match... area, specify the conditions for matching incoming requests. For more information about how to configure a rule, see Rules.
Click Configure in the Origin SNI section. Then, enter an SNI based on your business requirements.
Click OK.