proxy_ssl_server_name
The `proxy_ssl_server_name` directive enables SNI for proxied requests, allowing NGINX to send the server name in the SSL handshake.
Description
The proxy_ssl_server_name directive controls whether the Server Name Indication (SNI) field is included in SSL/TLS requests that NGINX proxies to another server. When set to on, NGINX includes the hostname from the Host header in the SSL handshake, which is essential for servers that utilize multiple SSL certificates for different hostnames on the same IP address. This is particularly relevant in scenarios where multiple domains are hosted on a single server using shared IPs; the correct certificate can be selected based on the SNI information provided by the client.
The directive can be used in several contexts: http, server, and location blocks, and it expects a single argument which is a flag. Setting this directive to on enables SNI, while setting it to off disables it. By default, the directive is set to off, meaning SNI will not be used unless explicitly enabled. It is important to note that if the backend server does not support SNI, the correct certificate may not be served, potentially resulting in SSL connection errors.
This directive can be particularly useful when working with multiple SSL certificates on a backend server, as it allows NGINX to dynamically select the appropriate certificate based on the requested hostname, thereby ensuring proper SSL termination and enhancing the overall security of the proxied connections.
Config Example
location /api {
proxy_pass https://backend.example.com;
proxy_ssl_server_name on;
}Make sure the backend server supports SNI; otherwise, setting this directive to 'on' may lead to SSL errors.
Proxying to a legacy server that does not handle SNI correctly can cause issues if this directive is enabled.