Now, when creating a new CDN resource, the feature is automatically enabled to ensure the use of SNI when accessing the origin. In this article, weâll tell you what SNI is, what is its use and how to change the name of an SNI host.
What is SNI?
SNI (Server Name Indication) is an extension to the TLS protocol that allows clients to provide a hostname when they contact a server.
Why is SNI needed?
When a client establishes a connection to a server, it refers to a specific IP address. However, it often happens that several different, unrelated websites may be located on the same server. This can happen, for example, if the website is located on a virtual server.
As a result, several different websites have the same IP address. How to understand which one the client needs?
With HTTP, itâs easy. The domain name of the website is usually specified in the first HTTP request. The server easily determines which website the client needs, and connects them.
HTTPS, however, poses a problem. In this case, the client and the server establish a secure connection using TLS before transmitting data over HTTP. But the TLS handshake doesnât allow the client to indicate which domain it needs.
The problem is that different domains located on the same server may have different SSL certificates. When a secure connection is established, the server must pass the certificate data to the client. And if the server cannot determine which domain certificate is needed, it may transfer the wrong one. In this case, the userâs browser will return an error, and the connection will be terminated.
SNI allows you to tell the server which domain the client is accessing, during the handshake. In this case, the server will be able to transmit the correct SSL certificate, and the connection will be successfully established.
How does it work?
The client sends a request.
- The request is directed to the origin server via the CDN.
- A secure connection with the server is established using TLS.
- When the connection is established, the very first messageâclient helloâcontains the name of the SNI host.
- Using this name, the server determines which domain the client is accessing, and transmits the required SSL certificate.
- A secure connection is established and HTTP transmission begins.
The SNI hostname is a symbolic designation by which the client communicates and the server determines to which domain the request is addressed.
How do we use SNI in Gcore CDN?
Our global CDN serves a huge number of different websites and web applications. Every day, a lot of requests go through CDN servers to different domains. For everything to work smoothly and for the users of to be able receive content quickly and safely, SNI must be used.
Therefore, the SNI option is automatically enabled when a new resource is created.
A dynamic SNI hostname is set by default. It will always match the Host header. It means that, if you change the Host header, the SNI hostname will change automatically.
However, if for some reason you need the SNI host name not to match the Host header, you can change it to a custom one.
How do I change the SNI host name?
- In your personal account, select a resource in the âCDN resourcesâ section.
- In the âSettingsâ tab, click âShow advanced settingsâ.
- The option is located in the âSecurityâ section.
- Select a custom SNI hostname and enter the desired name in the field below.
- Click âSave changesâ.
Deliver content quickly, securely, and error-free with the Gcore CDN.