2016年10月9日 · SAN stands for Subject Alternative Name, and it's an x509 certificate property, and SNI is a feature that the SSL/TLS client can support, thus a totally different entity. Using a certificate with SAN you can host multiple HTTPS-enabled sites on one IP address even if the client doesn't support the SNI.

2013年5月8日 · SANs in a certificate and SNI support on a server are different things, the use of SANs for HTTPS virtualhosting is something of hack that predates SNI. For SNI you don't need a certificate with SANs because the server is able to select an individual certificate that matches the clients naming expectations.

2015年1月27日 · frontend haproxy-sni bind *:443 ssl crt /etc/mycert.pem no-sslv3 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req.ssl_hello_type 1 } acl domain_www ssl_fc_sni_end -i www.example.com use-server server1 haproxy-private.lan if !domain_www use-server server2 haproxy-public.lan if domain_www

2019年12月13日 · global log stdout format raw local0 info defaults timeout client 30s timeout server 30s timeout connect 5s option tcplog frontend tcp-proxy bind :5000 ssl crt combined-cert-key.pem mode tcp log global tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } use_backend bk_sni_1 if { req.ssl_sni -i 1.sni.example.com ...

2014年3月1日 · Actually our workaround was the usage of a non-standard SSL port, 8443. So the SNI binding is actually bound to this port, thus it works along with the other bindings. Not nice, but an acceptable workaround for us until you can use …

2012年5月17日 · Since SNI occurs during the SSL/TLS handshake, it's not possible to detect browser support when the client connects to HTTP. So, you're right; a user-agent filter is the only way to do this. The big question is whether you want to act on a blacklist against browsers that you know won't listen for SNI, or a whitelist of browsers that are known ...

2016年11月18日 · SNI and wildcard SSL certificates on the same server with IIS. 2. Command line to set up SNI on IIS for ...

Run 2 SSL servers on 1 debian Pi, both FQDNs,1 Nginx 1 apache, wrong certificate, is this SNI issue? I'm forced to use Nginx on a.ddns.net and Apache for b.ddns.net (reverse proxy solution too tricky due to established setups).

2018年9月14日 · HAProxy v.1.5.18, 1.7.11, listening on a single IP address with a wildcard SSL certificate, I need to specify several backends with SNI lookup. There's a ton of config-files that all say req_ssl_sni -i hostname.example.com as ACL to use when redirecting to a certain backend.

2010年10月10日 · I would like to set up HAProxy to terminate SSL or pass through connection depends from hostname, exposing only one public IP address. For example Internet -> domain web1.example.com (10.10.10.1) HAproxy SSL termination -> Backend (10.10.10.10)