Can i use SNI to connect to the origin over HTTPS

You can enable section.io to connect the origin servers over SNI when using HTTPS.

Details on SNI and how to enable:

By default Last Proxy will not send any server name information in the TLS handshake with the origin for HTTPS requests. The origin will only receive such information after the handshake is complete and the Last Proxy then sends the HTTP request containing the Host request header.

Often this is unimportant. However, there are at least two scenarios where it is necessary to send the server name during the TLS handshake:

The origin needs to know the correct server name to select the correct X509 certificate to use in the handshake which we will then verify if Origin Certificate Verification has been enabled.
The origin depends on the server name in the TLS handshake to correctly select the virtual host to handle the request - typically seen on Apache web servers.
In any scenario, sending the server name during the TLS handshake is enabled by configuring "origin": { "enable_sni": true } in the file section.config.json for the environment.

The actual server name that will be used for SNI is determined by the following, in order of precedence:

The tls_name property value of the origin, or alternate origin.
The host_header property value of the origin, or alternate origin.
The value of the Host HTTP request header.
This name is the same as that used by Origin Certificate Verification and is a limitation of nginx.

Keep in mind that when using “alternate_orgins” SNI can only be enabled at the “origin” key which is then applied to every alternate origin. For example:

This will not enable SNI for the origin named “alt_name”:

"Production": {
            "origin": {
                "address": "some.origin.com",
            },
            "alternate_origins": {
                "alt_name": {
                    "address": "some-alt.origin.com",
                    "enable_sni": true
                },
            }
}

This example will enable SNI for the “origin” and every “alternate_origin”

"Production": {
            "origin": {
                "address": "some.origin.com",
                "enable_sni": true
            },
            "alternate_origins": {
                "alt_name": {
                    "address": "some-alt.origin.com"
                },
            }
}