4. Name-based virtual hosting and Server Name Indication (SNI)

Name-based virtual hosting is a method to provide services under multiple domain names from a single server (that is, several different domain names point to the same IP address). When receiving an HTTP request, the server decides which domain should receive the connection based on the "Host" header of the HTTP request. Each domain has its own certificate for secure connections. The problem is that the TLS connection is built before the client sends the first HTTP request: the server should show the certificate of the appropriate domain before receiving the HTTP header specifying the domain name. In earlier PNS versions, this situation was solved by either assigning a separate IP address to each domain name, or using IP aliasing. In Proxedo Network Security Suite 2 and later, Server Name Indication (SNI) can be used to overcome the problem.

If IP aliasing is not feasible for some reason, Application-level Gateway can be configured to overcome this problem by modifying the target address of the connection based on information arriving in the HTTP request. This solution requires a special Http proxy.

In the following example (Procedure 4.1, Configuring Server Name Indication (SNI)), Application-level Gateway determines the target address of the HTTPS connection based on the "Host" header. Note that any other information present in the HTTP traffic can be used for such purpose. For example, it is possible to direct different GET requests to different servers (for example, requests to www.example.com are directed to Server1, but www.example.com/admin is redirected to Server2). It is also possible to use different servers to serve the static and the dynamic contents (for example, by redirecting all requests to get jpg, gif, and similar files to a separate server).

Note

Although the connections can be redirected to different servers, only a single certificate can be shown to the clients, because Application-level Gateway must send the client-side certificate to the client before the client sends the first HTTP request. Consequently, Application-level Gateway cannot determine the target address at this stage.