What is SNI
The web hosting concept is introduced to HTTP servers to allow multiple domain names to use the same IP address, as the IPv4 addresses become scarce. A server can forward requests to different domain names (web hosts) based on the specified host in the request.
However, on an HTTPS server where an IP address is shared by multiple domain names (web hosts), the server doesn’t know the specific host that a client requests at the start of the handshaking process. Therefore, the server cannot forward the request to the specific web host. But to complete the handshaking process, the server must obtain the certificate information in the web host’s configuration.
Server name indication (SNI) is designed to resolve this issue. SNI requires the client to carry the host information of the domain name to be accessed before the handshake process with the server. The server can then choose the correct web host’s certificate to establish a handshake and TSL connection with the client.
SNI was first introduced in 2014 and is now supported by all mainstream browsers, servers, and testing tools.
Why must the client support SNI to use Anti-DDoS Pro and WAF
When processing reverse proxy of HTTPS services, Anti-DDoS Pro and WAF interact with the real server (RS) on behalf of the client. So the certificates and private keys must be uploaded in the configurations of HTTPS protection. Because the Anti-DDoS Pro and WAF servers are limited in number, it is impossible to assign a physical server to a domain name. Therefore, the Anti-DDoS Pro and WAF clusters must contain servers that are shared by multiple domain names. As a result, the client must support SNI to interact normally with the Anti-DDoS Pro and WAF servers.
Configure your server to enable multiple HTTPS web hosts with one IP address.
- We recommend that you use the latest version of Google Chrome and Firefox browsers.
- Do not configure layer-7 website protection in Anti-DDoS Pro. Instead, configure website protection by using the layer-4 port 443 forwarding method.
Note The layer-4 protection does not protect your website against HTTP flood attacks.
- Chrome 5 and later versions
- Chrome 6 and later versions
- Firefox 2 and later versions
- Internet Explorer 7 and later versions (Only supports Windows Vista, Windows Server 2008, and later OS versions. In Windows XP, no IE browsers support SNI)
- Konqueror 4.7 and later versions
- Opera 8 and later versions
- Safari 3.0 and later versions (Only supports Windows Vista, Windows Server 2008, and later Windows versions, or Mac OS X 10.5.6 and later Mac versions)
- Android 3.0 Honeycomb and later versions
- iOS 4 and later versions
- Windows Phone 7 and later versions
- Apache 2.2.12 and later versions
- Apache Traffic Server 3.2.0 and later versions
- HAProxy 1.5 and later versions
- IIS 8.0 and later versions
- Lighttpd 1.4.24 and later versions
- LiteSpeed 4.1 and later versions
- Nginx 0.5.32 and later versions
- cURL 7.18.1 and later versions
- wget 1.14 and later versions
- GNU TLS
- JSSE (Oracle Java) 7 and later versions (only for use as a client)
- libcurl 7.18.1 and later versions
- NSS 3.1.1 and later versions
- OpenSSL 0.9.8j and later versions
- OpenSSL 0.9.8f and later versions (flag must be configured)
- QT 4.8 and later versions