Questions tagged [sni]

Server Name Indication(SNI) is an extension of Transport Layer Security which allows multiple secure web sites, with separate certificates, to be hosted at the same IP address

Server Name Indication addresses a common issue where websites with an SSL certificate had to live on separate IPs. This exacerbated the IPv4 shortage, as well as defeated the purpose of virtual hosting, where multiple non-secured sites could share the same IP (note that websites sharing a common certificate can always share an IP).

SNI is based on IETF RFC 4366, which, as part of Transport Layer Security(TLS), allowed the hostname to be sent in the initial stages of the TLS handshake. This allowed websites with different certificates to be hosted on the same IP.

SNI is supported by all major browsers and all major web servers. It requires OpenSSL 0.9.8f or later

Browser Support

Mozilla Firefox 2.0 or later
Opera 8.0 or later (with TLS 1.1 enabled)
Internet Explorer 7.0 or later (on Vista, not XP)
Google Chrome
Safari 3.2.1 on Mac OS X 10.5.6

Server Support

Apache v2.2.12 or later
Nginx 0.5.32 or later
IIS 8.0 or later

191 questions

vote

0 answers

Envoy to envoy TLS for TLS proxy

Assume this artitecture ................................................ . . . …

sni envoyproxy

asked Dec 08 '22 at 11:56

M.A. Heshmat Khah

vote

1 answer

Why is "tcp-request content accept" frontend instruction is required for proper HAProxy SNI-based routing?

I've recently tried to set up SNI-based routing on HAProxy for mongodb mongodb+srv protocol connection. I made it working, but it wasn't until I put tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } in my frontend…

haproxy sni

asked Nov 25 '22 at 07:12

Pavel Klimov

vote

1 answer

Can there be a "TLS Passthrough based on SNI" version of CloudFlare's "orange-cloud"?

My understanding is that the "orange-cloud" [1] is a TLS terminating reverse proxy. Multiple upstream servers share the same Cloudflare Anycast IP. A TLS connection is formed between the client and the orange-cloud, the orange-cloud then makes…

reverse-proxy https cloudflare sni

asked Jul 21 '22 at 15:22

Starfish

vote

1 answer

HAProxy is not working with SNI and ACLs

I am trying to get haproxy to use acls with SNI and it ain't cooperating. It presents the correct cert so SNI must be working. However, I cannot get it to select a backend based on the hostname in SNI. Which I check the configuration, I get the…

linux haproxy sni

asked Feb 17 '22 at 22:40

scarville

vote

0 answers

IIS serves wrong cert using SNI or CCS

I have 3 websites all using the same IP in IIS 10. I first setup the https bindings to use SNI with 'all assigned' IP addresses on port 443 using the correct certificate. All the certs are known good. Only one website gets served the correct SSL…

iis https sni bindings

asked Sep 28 '21 at 00:04

dcol

vote

0 answers

AWS Elastic Beanstalk SNI SSL in S3

In our application we need to support customer ssl certificates and domains. Application stack: AWS Elastic Beanstalk, NodeJs and nginx server. I've found that we can use nginx variable "$ssl_server_name" for SNI and code like this in nginx…

amazon-web-services ssl amazon-s3 sni

asked May 13 '21 at 07:31

Evgeny I

vote

2 answers

Nginx: How to combine ssl_preread_protocol with ssl_preread_server_name (ssh-multiplexing and ssl-sni-passthrough)?

I have the nginx.conf file shown below. I want to run both ssh and a webserver on port 443/SSL. Also known as SSL-port-multiplexing. At the same time, I want to use ssl-passthrough with SNI. For ssh-multiplexing, I use $ssl_preread_protocol. For…

nginx sni passthrough

asked Jan 09 '21 at 01:09

Quandary

1,024
4
19
36

vote

1 answer

HAProxy: SSL Termination with exception for a specific domain Wildcard SSL-Certificate request

I am new to HAProxy and got most parts working as expected. The current setup is: If I add a new site to one of the balanced (behind the LB) servers, the certificate is issued and served by the Load Balancer. So SSL Termination is working fine with…

load-balancing haproxy lets-encrypt sni

asked Oct 08 '20 at 15:17

Philipp

vote

1 answer

ldapsearch fails on centos8 with Google LDAPS but works on Ubuntu 20.04 with work around

My end goal is to use sssd and Google LDAPS but can tell if things will work with ldapsearch. Google LDAPS requires the Server Name Indication (SNI) extension. I have it working on Ubuntu 20.04 with a work around. Noted by the openldap maintainer…

openssl openldap google sni centos8

asked Sep 14 '20 at 17:08

Guser314

vote

0 answers

SNI fails on nginx - wrong cert being issued

I've been testing my various websites security at Qualsys. All my sites run off of one nginx host. The sites work fine and get an A+ on the Qualsys tests. The only issue that I really want to fix is the SNI setup. I've done a fair bit of researching…

nginx ssl-certificate sni

asked May 03 '20 at 00:02

Callahan

vote

0 answers

Logging source IP for connection through SNI proxy

I'm using a simple SNI proxy (slt) to forward HTTPS to the correct virtual machine without terminating SSL in the proxy. Something that is glaringly obvious in hindsight: there is no way for me to find out and log the source IP address of that…

ssl https sni

asked Apr 27 '20 at 13:56

Simon Richter

3,317
19
19

vote

1 answer

https with sni two certs tho server names but same config. can I use one server block?

I often encounter following problem. I have an nginx server serving two hostnames via https on the same IP and the same port. Each host name has it's own cert. What I am doing so far is to have two configurations: server { listen …

nginx ssl-certificate sni

asked Apr 03 '20 at 00:14

gelonida

votes

1 answer

Redirect http and non-www using only mod_alias Redirect, dedup SSL configuration?

This is probably a duplicate but I can't find quite what I'm looking for. I'd like to redirect http and/or non-www to https+www. This is often cited as a canonical example of when to avoid mod_rewrite. My current setup works, using only mod_alias'…

apache-2.4 virtualhost redirect sni

asked Oct 07 '19 at 19:43

Rob

votes

2 answers

Generic SNI-based transparent TLS proxy without having to enumerate all backends?

I'm in a situation where I have to provide a transparent reverse proxy in front of a set of thousands of backend https webservers, with the list changing (relatively) frequently. I know I can tell haproxy to select a backend to connect to based on…

nginx reverse-proxy https haproxy sni

asked May 28 '19 at 20:13

András Korn

votes

1 answer

Apache SNI: Is it possible to mix non-secure hosts with secure hosts on the same interface?

On a shared server, we have some sites that only run on port 80. However, there are other sites that run on both port 80 and 443. For example: ServerName unsecure.com ServerName secure.com …

apache-2.4 virtualhost apache2 sni

asked Feb 06 '19 at 15:14

Nick

Prev 1 2 3

…

12 13 Next