TLS SNI（TLS Server Name Indication）配置：F5、Nginx和IIS

TLS Server Name Indication (TLS SNI)

TLS Server Name Indication (TLS SNI)，used when a single virtual IP server needs to host multiple domains.

TLS SNI Support 即一个 IP 地址上支持多个域名的 SSL 站点，或者说一个 IP 上支持绑定多个 SSL 证书。

支持 TLS SNI 的浏览器

Browsers/clients with support for TLS server name indication:

• Opera 8.0 and later (the TLS 1.1 protocol must be enabled)
• Internet Explorer 7 or later (under Windows Vista and later only, not under Windows XP)
• Firefox 2.0 or later
• Curl 7.18.1 or later (when compiled against an SSL/TLS toolkit with SNI support)
• Chrome 6.0 or later (on all platforms - releases up to 5.0 only on specific OS versions)
• Safari 3.0 or later (under OS X 10.5.6 or later and under Windows Vista and later)

To find out if your browser supports SNI, you can go to https://alice.sni.velox.ch/.

F5 BIG-IP TLS SNI Support

• 版本支持

主流支持版本（v11.6及以上）都可以支持，参看官方文档：v11.6，v12.1，v13.1

• 配置要点

参看：K13452

分别创建多个域名的（Client or Server）SSL Profile

Server Name，分别填写域名（可选），如 www.a.com，支持通配符 *.a.com 也支持 * 代表任意域名，另外一个如 www.b.com

Default SSL Profile for SNI，其中一个域名需要勾选作为默认

Virtual Servers 的 SSL Profile（Client or Server）同时选择上述创建的多个 SSL Profile

注意：在 BIG-IP 13.x 及以前版本，多个 SSL Profile 的 Ciphers 和 Client Authentication 属性需要配置一致（14.x 及以后版本无此要求）

• iRules

另外请注意，没有自动机制允许 BIG-IP 根据在客户端 SSL Hello 消息中接收到的 “Server Name” 值来选择 SSL Profile。

不过，在 iRule 的额外帮助下，您可以根据从客户机收到的初始 HTTP 请求中接收的“主机名”报头值强制选择正确的 serverssl profile。

when HTTP_REQUEST {
    set hostname [getfield [HTTP::host] ":" 1]
}

when SERVER_CONNECTED {
    switch -glob [string tolower $hostname] {
    "siteA.com" {
        SSL::profile serverssl-siteA
    }
    "siteB.com" {
        SSL::profile serverssl-siteB
    }
    default {
    #default serversssl profile to be selected if Host header value cannot be matched with predefined values
        SSL::profile serverssl
    }
    }
}

Nginx TLS SNI Support

• 版本支持

参看官方文档

OpenSSL supports SNI since 0.9.8f version if it was built with config option “–enable-tlsext”. Since OpenSSL 0.9.8j this option is enabled by default. If nginx was built with SNI support, then nginx will show this when run with the “-V” switch:

$ nginx -V
...
TLS SNI support enabled
...

Nginx 0.x 版本已经支持 TLS SNI

• The SNI support status has been shown by the “-V” switch since 0.8.21 and 0.7.62.
• The ssl parameter of the listen directive has been supported since 0.7.14. Prior to 0.8.21 it could only be specified along with the default parameter.
• SNI has been supported since 0.5.23.
• The shared SSL session cache has been supported since 0.5.6.
• Version 1.9.1 and later: the default SSL protocols are TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
• Version 0.7.65, 0.8.19 and later: the default SSL protocols are SSLv3, TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
• Version 0.7.64, 0.8.18 and earlier: the default SSL protocols are SSLv2, SSLv3, and TLSv1.
• Version 1.0.5 and later: the default SSL ciphers are “HIGH:!aNULL:!MD5”.
• Version 0.7.65, 0.8.20 and later: the default SSL ciphers are “HIGH:!ADH:!MD5”.
• Version 0.8.19: the default SSL ciphers are “ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM”.
• Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are
  “ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP”.

• 一般配置方法

http {

    ......

    server {
        listen       443 ssl http2;
        server_name  a.sysin.org;
        ssl_certificate     a.sysin.org.crt;
        ssl_certificate_key a.sysin.org.key;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers 'AES128+EECDH:AES128+EDH';
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

        charset utf-8;
        #access_log  /var/log/nginx/host.access.log  main;

        location / {
            root   /usr/share/nginx/html;
            index  index.php index.html index.htm;
        }
    }

    server {
        listen       443 ssl http2;
        server_name  b.sysin.org;
        ssl_certificate     b.sysin.org.crt;
        ssl_certificate_key b.sysin.org.key;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers 'AES128+EECDH:AES128+EDH';
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

        charset utf-8;
        #access_log  /var/log/nginx/host.access.log  main;

        location / {
            root   /usr/share/nginx/html;
            index  index.php index.html index.htm;
        }
    }
}

IIS TSL SNI Support

参看官方文档

• 版本支持

要求 IIS 8.0 （Windows 2012）及以上版本

• 配置要点

创建多个 HTTPs 站点时，需要填写以下内容

Hostname: （注意与 SSL 证书名称保持一致）

Require Server Name Indication: 需要勾选