If your origin server uses a single IP address to host multiple domain names and the origin protocol is HTTPS, you must configure origin SNI. This allows the origin server to identify the requested domain, return the correct SSL certificate, and ensure successful origin fetches.
Background information
Server Name Indication (SNI) is an extension to the SSL/TLS protocol that allows a server to host multiple SSL certificates on a single IP address. SNI solves the problem of an HTTPS server being unable to determine which domain a client is requesting when multiple domain names are hosted on the same server. After you enable SNI, when a CDN point of presence (POP) initiates a TLS handshake with the origin server, the server reads the SNI field to identify the requested domain name and returns the corresponding SSL certificate.
-
Your origin server must be able to parse the SNI information contained in TLS handshake requests.
-
If you configure multiple origin servers for an accelerated domain name in the console, all origin servers share the same origin SNI value, and all origin requests resolve to the domain name that corresponds to that value. To set different SNI values for different origin servers, submit a ticket. For more information, see Contact us.
The following figure shows how origin SNI works.
The origin SNI workflow is as follows:
-
When a CDN point of presence (POP) accesses the origin server over HTTPS, it must specify the target domain, such as example.com, in the SNI field.
-
The origin server receives the request and returns the SSL certificate for the domain specified in the SNI. In this case, this is the certificate for example.com.
-
The CDN point of presence (POP) receives the certificate and establishes a secure connection with the server.
We recommend that you set the origin Host header and origin SNI to the same domain name (typically the origin server domain name or the accelerated domain name). If the origin Host header (the HTTP Host header) and origin SNI (the domain name specified during the TLS handshake) do not match (for example, the origin Host header is set to the origin server domain name but SNI is set to the accelerated domain name), the SSL handshake may fail or the origin server may return an error. Configure them separately in the console, and make sure they match the origin server certificate and virtual host configuration.
Procedure
-
Log on to the ApsaraVideo VOD console.
In the left-side navigation pane, choose Configuration Management > CDN Configuration > Domain Names.
-
Click Configure in the row of the target domain name.
-
In the navigation pane on the left for the domain name, click Back-to-Origin.
-
On the Configuration tab, in the Origin SNI section, click Modify.
-
In the Origin SNI dialog box, turn on the Origin SNI switch and enter the domain name that provides the resources, for example, vod.console.aliyun.com.
NoteThe origin SNI value must be a specific domain name. Wildcard domain names are not supported.
-
Click OK.