How to monitor CDN web server instances with SNI

TL;DR: The Wormly HTTP sensor parameter Force IP Address allows you to target a specific server within a CDN.

A significant majority of websites are hosted on large cloud platforms which serve many unrelated sites and applications. These include Content Distribution Networks such as Cloudflare, Microsoft Azure and Amazon CloudFront. The widespread adoption of TLS/SSL - ensuring that all users access services via secure HTTPS - poses a challenge to this model: How can the server know which TLS/SSL certificate to present to the client?

Previously when multiple websites were hosted on a single web server - known as “name-based virtual hosting”, the server inspected the HTTP Host request header, and used the domain name it contained to determine which website should be served in response. TLS/SSL makes this largely impossible, because before the HTTP request headers can be sent, the client and server must negotiate an encrypted connection. To achieve this the web server must present the correct TLS/SSL certificate - hence it first must know which domain the client is requesting.

The Server Name Indication (SNI) extension to the TLS/SSL protocol was created to solve this problem. It allows the client to indicate the Fully Qualified Domain Name (FQDN) of the web server instance it wishes to connect to. This in turn permits the server to respond by presenting the correct TLS/SSL certificate. Once the certificate has been presented, the TLS handshake can be completed and the HTTP request can continue over the encrypted connection.

Content Distribution Networks (CDNs) operate a large number of web server instances in many different geographical locations, each serving tens or hundreds of thousands of distinct websites and web applications. SNI is therefore critical to ensure the correct operation of these networks, ensuring that they can deliver the correct certificate for the requested site during the TLS handshake.

If you wish to monitor a specific server in a CDN - or a single server within your load balancing cluster - you can use the Force IP Address parameter to ensure that the Wormly HTTP sensor performs the request only against the specified server, and not one of the other servers in the CDN / load balancing group.