SNI and Http Host header
SNI is to SSL as Host header is to HTTP
Host Http Header
On the internet a server process is identified by an IP address + port combination. DNS was introduced that maps IP to a domain name so we don’t have to remember the numbers with dots, much worse for IPV6
Hosting small static web sites would be more economical if we can have one server process that can serve multiple websites, but domainname — >IP is a one-one mapping, so how do we serve multiple websites from one server process? Enter host header, web browsers will send a header as part of the http protocol that identities the requested domain name. Web Servers like Apache can be configured to read the Host HTTP header and serve the corresponding web site. Typically called Virtual Hosts.
So we know which domain a request in meant for, shouldn’t that work for https as well? not really read on..
SNI(Server Name Identification)
When a https request is fired there is a server/browser handshake which exchanges the certs and validate them, the Http Host header comes much later on, after all the ssl dance is complete, so we do not know the domain name yet. Here comes the SNI(Server Name Indication) spec. In short this serves the same purpose of Hostname header for Http purposes for the Transport layer protocol. As part of this protocol domain name is sent as part of the SSL handshake, so that server can send the cert that corresponds the the domain.
How did I end up here
I am working on building multi-tenant small business app framework Lakumbra that can be used to build multi-tenant small business applications like Shopify is for shopping cart. I would want my users to create their own business by entering their data and make this data/functionality available through a custom domain name.
Apache has a concept of dynamic virtual host where the folder to look for html pages could be scripted based on the incoming domain name and its works fine, at runtime we could add a new folder for a new domain and requests will be served.
Now with the ACME protocol and service like LetsEncrypt its possible to obtain a browser-trusted certificates without any human intervention.
I have used Acme4j to generate the SSL certs for a new domain a user wants to publish, HaProxy as the SSL termination which means ssl handshake dance is handled by Haproxy and request is forwarded to Apache for static content or my spring based java backend for dynamic content.
Just like apache has Dynamic virtual hosts, Haproxy can handle certs based on SNI. Only issue is when you add new certs it needs a restart to take effect, none of the other implementations apache, NGNIX etc handle this dynamic loading of certs as well at this time
While I wait Haproxy to fix this in future versions, I had to implement a Hack to handle my specific use case, in the process had to understand about SNI etc.. by no means expert.
