If the IP address of your origin server is associated with multiple domain names and requests are redirected to the origin server over HTTPS, you need to configure the Server Name Indication (SNI) feature for the origin server. SNI specifies the domain name for which requests are destined. The origin server returns the corresponding SSL certificate based on the SNI.
Background information
Server Name Indication (SNI) is an extension to the SSL/TLS protocol that allows a server to host multiple SSL certificates on a single IP address. This resolves an issue where an HTTPS server with multiple domain names cannot determine which domain a client is requesting. After you enable SNI, when a CDN point of presence (POP) initiates a TLS handshake with the origin server, the origin server uses the SNI information in the handshake request to identify the requested domain name. The server then returns the correct SSL certificate to the client.
The origin server must be capable of parsing the SNI information that is carried in the TLS handshake request.
If you configure multiple origin servers for an accelerated domain name in the console, all origin servers share the same origin SNI value. Consequently, all origin requests point to the domain name that corresponds to the SNI value. If you want to set different SNI values for different origin servers, you can submit a ticket. For more information about how to submit a ticket, see Contact us.
The following figure shows how SNI works.
SNI for origin fetch works based on the following process:
A POP redirects a request to the origin server over HTTPS. The domain name for which the request is destined, such as example.com, is specified by SNI.
After the origin server receives the request, it responds with the certificate of the requested domain name, such as example.com, based on SNI.
After the POP receives the certificate, the POP establishes a secure connection to the origin server.
Procedure
Log on to the ApsaraVideo VOD console.
In the left-side navigation pane, choose Configuration Management > CDN Configuration > Domain Names.
Click Configure in the row of the target domain name.
In the navigation pane on the left for the domain name, click Back-to-Origin.
On the Configuration tab, in the Origin SNI section, click Modify.
In the Origin SNI dialog box, turn on the Origin SNI switch and enter the domain name that provides the resources, for example, vod.console.alibabacloud.com.
NoteSNI supports only specific domain names. Wildcard domain names are not supported.
Click OK.