Upstream SNI

Hi, I’m facing the following situation, which I believe is fairly common:

On the upstream server there are multiple vhosts running on the same port (e.g., port 80). The web server distinguishes between them using SNI.
Is it possible to configure this in the WAF so that I can create multiple applications for the same upstream IP, each representing a different vhost?

I did not find the option to configure it in the UI. I am currently using the Pro license.

BR Julian

Yes, it’s supported. As long as the domain name and certificate are configured correctly in the Application settings. Each domain corresponds to a separate application, and traffic is forwarded based on domain matching.

Thanks for your response.
If I understand you correctly, you are referring to the WAF’s ability to distinguish different services on the same port using SNI.
However, I’m still unclear about how this affects the upstream servers. Let me give an example to clarify what I mean:

I have a WAF with an application at https://domain1.tld:443
that forwards to an upstream server at http://192.168.1.2:80

The upstream server (192.168.1.2:80) is an Apache2 instance hosting multiple virtual hosts, all listening on the same port and differentiated by their ServerName directives. Assigning different ports for each site is not an option in my case.
Additionally, the external domain (domain1.tld) does not necessarily match the ServerName of the corresponding virtual host on the upstream server.

Is there any way to configure this in the WAF?

Thanks, that worked with apache2 and nginx as webservers.
Unfortunately I still have the issue with IIS Webserver, but that could be a misconfiguration on IIS.

The issue was indeed in a misconfiguration on the IIS.
Everything is now working as expected. 👍