How is SNI (Server Name Indication) used in practice?

See real-world examples and code snippets on the SNI (Server Name Indication) glossary page at CDN Certified.

What concepts are related to SNI (Server Name Indication)?

Related terms include: CNAME, TLS (Transport Layer Security).

SNI (Server Name Indication) (SNI)

Security

A TLS extension that lets the client specify which hostname it's connecting to during the handshake. Enables multiple HTTPS sites on one IP address—essential for CDNs serving millions of domains.

Updated Mar 9, 2026

Full Explanation

Before SNI, each HTTPS site needed its own IP address because the server had to present the right certificate before knowing which site the client wanted. SNI fixes this by including the hostname in the TLS ClientHello message, so the server can pick the correct certificate.

This is critical for CDNs. Cloudflare serves millions of domains from shared IP pools. Without SNI, they'd need millions of IPs. With SNI, one IP can serve any number of domains because the edge knows which certificate to present based on the SNI value.

One privacy note: SNI is sent in plaintext in standard TLS, which means network observers can see which site you're visiting even if the content is encrypted. Encrypted Client Hello (ECH, formerly ESNI) fixes this by encrypting the SNI field. Cloudflare and Firefox already support it.

Examples

# See SNI in action with openssl
$ openssl s_client -servername www.example.com -connect cdn.example.com:443 2>&1 | grep 'subject'
subject=CN = www.example.com

# Without SNI, you might get the wrong cert
$ openssl s_client -connect cdn.example.com:443 2>&1 | grep 'subject'
subject=CN = default.cdn.example.com  # Default/fallback cert

# Check if Encrypted Client Hello (ECH) is supported
$ dig TYPE65 example.com  # HTTPS record contains ECH config

# Nginx: SNI-based virtual hosts
server {
    server_name site1.example.com;
    ssl_certificate /etc/ssl/site1.pem;
}
server {
    server_name site2.example.com;
    ssl_certificate /etc/ssl/site2.pem;
}

Video Explanation

Frequently Asked Questions

A TLS extension that lets the client specify which hostname it's connecting to during the handshake. Enables multiple HTTPS sites on one IP address—essential for CDNs serving millions of domains.

# See SNI in action with openssl
$ openssl s_client -servername www.example.com -connect cdn.example.com:443 2>&1 | grep 'subject'
subject=CN = www.example.com

# Without SNI, you might get the wrong cert
$ openssl s_client -connect cdn.example.com:443 2>&1 | grep 'subject'
subject=CN = default.cdn.example.com  # Default/fallback cert

# Check if Encrypted Client Hello (ECH) is supported
$ dig TYPE65 example.com  # HTTPS record contains ECH config

# Nginx: SNI-based virtual hosts
server {
    server_name site1.example.com;
    ssl_certificate /etc/ssl/site1.pem;
}
server {
    server_name site2.example.com;
    ssl_certificate /etc/ssl/site2.pem;
}

Related CDN concepts include:

CNAME — A DNS record type that maps one domain name to another (an alias). CDNs use …
TLS (Transport Layer Security) (TLS) — The encryption protocol that secures HTTPS connections. TLS encrypts data in transit between client and …

Previous Term s-maxage

Next Term SSAI (Server-Side Ad Insertion)

Back to Glossary