$ssl_ech_outer_server_name

Description

The `$ssl_ech_outer_server_name` variable is a unique feature available in NGINX's SSL module that captures the outer server name provided by the client during the TLS handshake when the Encrypted ClientHello (ECH) extension is utilized. This allows clients to maintain privacy regarding the actual server they are connecting to while still enabling servers to decide how to handle requests based on the intended destination server name. This variable is set during the SSL handshake when the ECH extension is negotiated by the client. If the client includes an outer server name in its Encrypted ClientHello, this variable will contain that name. Typical values for this variable are domain names or host headers, such as 'www.example.com' or 'api.example.com', depending on the ECH implementation on the client’s side. If no outer server name is provided or the ECH negotiation fails, the variable will be empty. Using this variable can be particularly beneficial for applications that wish to respond differently based on the client's original intended destination while still preserving some level of privacy in communication. However, this functionality necessitates a compatible client setup to utilize ECH, meaning that not all requests will include this variable based on the client's configuration during the handshake.

Config Example

server {
    listen 443 ssl;
    server_name example.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/cert.key;
    location / {
        if ($ssl_ech_outer_server_name) {
            add_header X-Outer-Server-Name $ssl_ech_outer_server_name;
        }
    }
}