Follow

How to Configure your Proxy to Host Multiple SSL Domains (Service Name Indication or SNI)

Description

  • Classic Proxies can have multiple SSL certificates associated
    • Note: These steps only work for Classic Proxies (have Service 'WAF Proxy, HTTPS, HTTP, Generic TCP and/or Generic UDP') 
    • Application Proxies can not currently have multiple SSL certificates (future feature) 
  • Once configured, Silverline will serve different SSL certificate depending on FQDN that the client is requesting
    • Inspects the client SNI which tells Silverline the DNS name of the Proxy it requires
    • then matches domain with the SSL certificate assigned to that FQDN
  • For each separate FQDN that is hosted behind the same proxy, you can use one SSL profile if the cert is a SAN cert or wildcard cert

 

Environment

  • Silverline WAF
  • Silverline DDoS
  • Proxy/Proxies
  • Backend Server hosts multiple applications
    • SNI is required on the backend 

 

Procedure

Note: These steps only work for Classic Proxies (have Service 'WAF Proxy')

For Application Proxies, please follow How To: Add multiple FQDNs per Application Proxy / WAO

Prerequisite

Setting up SNI SSL REQUIRES that you begin with creating or using an existing SSL Parent Profile.

  • Child SSL Profiles ALWAYS inherit SSL Ciphers from their parent.  This is to ensure all profiles in a family of profiles can be used in an SNI SSL proxy deployment.
  • If the SSL Parent Profile cipher is edited, that change is immediately inherited by all of the related child profiles. 

Procedure 

  1. In Silverline Portal, navigate to Config > Proxy / App Configuration > Proxy / App Management
  2. Locate the proxy in the list.
  3. Click the Edit button (pencil icon) on right.
  4. Select the Service and click the Certificates or HTTP / HTTPS tab
  5. Turn on Enable SSL
  6. Turn on SNI Pass-through
  7. Click Add 
  8. Add the other SSL profiles and type in the Host domain associated.
    • Ensure that the DNS records for each of the specified FQDNs also point to the Proxy IP address.
    • Each additional SSL profile should be a child of the parent SSL profile or at least have the same ciphers.
      • Note: When selecting your first SNI SSL profile, if it is a child of a parent profile, when selecting further SNI profiles from the list, you will only be able to see children of the initial parent profile.
    • The way Silverline determines which SSL profile to apply is based on the SNI value in the SSL CLIENTHELLO matching the Host value in the Frontend SSL Profile (For Host) configuration section.

* For configuring of multiple SSL domains on Regional PoP WAOs, please refer to this article: How To: Add multiple FQDNs per WAO.

Related Content

Was this article helpful?
3 out of 3 found this helpful
Have more questions? Submit a request