Server Name Indication (SNI) for Southbound connection on Edge

Dear Apigee Community,

I am looking for some documentation on Server Name Indication (SNI) when Apigee acts as a client (southbound connection), beyond this one:

https://docs.apigee.com/api-platform/system-administration/using-sni-edge#supportingsniforrequestsfr...

Specifically, I would like to know which flow variable should I use to indicate the server name I would like to request as a backend. Is there any variable, like target.server.name with read/write rights on target request scope which I could use to specify a specific server for the same URL/target server.

Thanks!

0 3 573
3 REPLIES 3

Hi Raphael!

Apigee SaaS supports SNI as a client (southbound). As the docs say..

Server Name Indication (SNI) allows multiple HTTPS targets to be served off the same IP address and port without requiring those targets to use the same TLS certificate.

Does your backend support SNI?

Imagine we have api.example1.com and api.example2.com . With SNI, they can both be hosted on the same IP and Port (35.x.x.x:443) and different certificates can be supported for each, so you can use TLS for https access.

Because of this, you only need to set target.url to api.example1.com or api.example2.com and the backend will return to correct certificates and allow the connect, even on the same IP address and port.

There is a nice article here: https://www.ssls.com/knowledgebase/what-is-sni-technology/

If you want to route to different backend without changing the URL, you can configure your middleware systems to route depending on the Host header. Here is an nginx example: http://nginx.org/en/docs/http/request_processing.html

Hope this helps!

Sean

Hi Sean!

Thank you so much for your reply. Your answer is actually only half of what I want to achieve 🙂

Considering your example, imagine only api.example1.com is declared on a DNS entry, I can still reach api.example2.com if the client I use support SNI. In this case, api.example1.com is used to resolve a destination IP while api.example2.com is used for server name indication.

Most popular client can achieve this. With openssl, for instance I could launch the following command:

> openssl s_client -connect api.example1.com:443 -servername api.example2.com

While with curl, I could use:

> curl --resolve api.example2.com:443:api.example1.com https://api.example2.com

May I do the same with Apigee as a client? If so I guess I would need at least two variables:

target.url for the DNS resolution part and another variable (?) for the specific server name indication.


Thanks!

A feature enhancement has been filed for this. Reference buganizer:

160990074 - Support SNI variable for southbound connections