Origin Rule to override SNI
Hi,
I've got a proxied DNS record and trying to override the SNI for it as the origin certificate is unaware of the proxied DNS record name and it doesn't seem to be working. The rule is very simple:
(http.host eq "foo.com") => SNI rewrite to: "origin-host.com"
... but it doesn't seem to work. Any ideas?
2 Replies
Support AI
According to the documentation, when you configure a DNS record override, you also need to configure a
Host header override. The DNS record override handles the rerouting of the request, while the Host header override updates the Host HTTP header value in the request. Additionally, defining a Host header override will also update the Server Name Indication (SNI) value of the original request to the same value.
However, if you want to set an SNI value different from the Host header value, you need to add an SNI override in the same origin rule or create a separate origin rule for this purpose.
In your case, you may need to add a Host header override to your rule, like this:
(http.host eq "foo.com") => set http.host = "origin-host.com" => SNI rewrite to: "origin-host.com"
Please refer to the documentation for more information on DNS record overrides and SNI overrides: https://developers.cloudflare.com/rules/origin-rules/features/Sources
This is an AI generated response, it may not be 100% accurate. Please validate the output. You can ask followups by replying to this message or mentioning me.
Never mind, but just in case anyone else has this issue... turns out that the proxied DNS record didn't get a certificate created because it was of the format foo.bar.domain.com, which is not covered by
*.domain.com.