Configuring SNI on Web Servers

1 min read SSL/TLS & Certificates

Configuring SNI on Web Servers

Modern web servers support SNI configuration for virtual host SSL certificates. Proper configuration ensures correct certificate selection based on requested hostnames.

Nginx SNI configuration:

# Default SSL server (fallback)
server {
    listen 443 ssl default_server;
    server_name _;
    ssl_certificate /etc/nginx/ssl/default.crt;
    ssl_certificate_key /etc/nginx/ssl/default.key;
    return 444;  # Close connection for unknown hosts
}

# SNI-based virtual hosts
server {
    listen 443 ssl;
    server_name example1.com www.example1.com;
    ssl_certificate /etc/nginx/ssl/example1.crt;
    ssl_certificate_key /etc/nginx/ssl/example1.key;
}

server {
    listen 443 ssl;
    server_name example2.com www.example2.com;
    ssl_certificate /etc/nginx/ssl/example2.crt;
    ssl_certificate_key /etc/nginx/ssl/example2.key;
}

Apache SNI configuration:

# Enable SNI
SSLStrictSNIVHostCheck off

<VirtualHost *:443>
    ServerName example1.com
    ServerAlias www.example1.com
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/example1.crt
    SSLCertificateKeyFile /etc/apache2/ssl/example1.key
</VirtualHost>

<VirtualHost *:443>
    ServerName example2.com
    ServerAlias www.example2.com
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/example2.crt
    SSLCertificateKeyFile /etc/apache2/ssl/example2.key
</VirtualHost>