Server name identification (SNI) describes when a client chooses a domain name (hosted on a shared IP address) it's trying to reach, initiates the SSL/TLS handshake, and then identifies the correct SSL/TLS certificate while accessing that resource. The server then responds with a certificate, which the client trusts for the domain name it wishes to access.
As an extension of the SSL/TLS protocol, SNI enables clients to form secure connections while trying to access resources that reside on the same IP address. These virtual hostnames each use different certificates, making SNI a critical security measure.
What makes server name identification (SNI) useful?
In short, SNI enables clients to successfully initiate an SSL/TLS handshake and connect to a specific server hosting the target domain. Websites often reside in a dedicated server (a "single-family home," for example), making them easier to access. It's the same principle as sending packages to an address—the process here is pretty straightforward.
However, many websites occupy a shared space—like offices in a highrise or storefronts in a shopping mall. If we want our packages to arrive successfully, we need an address with more granularity (like a suite number or unit number). Server Name Identification helps the load balancer and server figure this process out so that requests and responses reach the correct destination.
While HTTP requests function normally without this, HTTPS requests need SNI to resolve the handshake. When this doesn't happen—say if the client-requested resource and certificate don't match—an error occurs and the connection is often terminated. This is frustrating for end users and organizations.
The vast majority of modern web browsers support SNI. Plus, a separate version called encrypted SNI (ESNI) prevents middlemen from uncovering which certificate the client is requesting. This measure is relatively new and helps boost security.
Does HAProxy support SNI?
Yes! HAProxy supports SNI as part of our TLS feature suite. Configuring SNI is also pretty easy while setting up TLS between the load balancer and servers. Check out our SSL/TLS documentation to learn more.