tls – SNI leakage prevention with proxy

In TLS 1.2 / HTTP(S) context, plaintext target hostname could potentially leak in 3 different ways:

  • In DNS query prior to TCP/TLS/HTTPS connection.
  • In TLS handshake, ClientHello message, in SNI extension.
  • In HTTP Host header.

DNS leakage can be prevented by using e.g. DoH/DoT.
HTTP Host header leakage is prevented through TLS encryption.
This leaves us with SNI leakage to address.

Which proxy types prevent leaking plaintext SNI and how?

Please note I’m asking explicitly about proxies, not ESNI, domain fronting or other similar means.

certificates – Is SNI always used in TLS connections?

I know the both DoT and DoH leak the target of the connection due to the use of SNI in the client hello (and that ESNI/ECH are proposed solutions), but what I cant figure out is does SNI get used 100% of the time (assuming a TLS connection)?

If it’s not 100% of the time, then when does it or doesn’t it get used?

  • by “used” I mean is it always present in the client hello making TLS connections ALWAYS leak their target

ssl – How to enable SNI support on client

ssl – How to enable SNI support on client – Server Fault

centos – SNI in pure-ftpd

I’m looking for SNI support in pure-ftpd. I found some documentation here: https://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS

Please read section CUSTOM CERTIFICATE HANDLERS in the above link. It specifies the use of service pure-certd. But I cannot find a way to install this service.

Please help me to find a way to install it. Os used is Centos 7. Pure-ftpd version: pure-ftpd v1.0.47 [privsep]

Setting up a TCP-SNI proxy that dynamically forwards SSL traffic to any hostname that the SNI might contain

I’m firstly gonna summerize my goal:

I’ll setup a DNS server and configure my smart tv to use it. I’ll set the DNS server up so that requests to specific DNS zones will not actually be resolved, rather the DNS server will return the IP of my proxy server. The proxy server needs to accept any HTTPS request, inspect the SNI, and forward the request to the corresponding host. I cannot statically configure the hosts to which the proxy shall pass the incoming requests, as those hostnames are being “randomly” (= outside of my control) generated in a specific DNS zone.

So far I’ve looked into nginx’s ngx_stream_ssl_preread_module, as well as into HProxy. So far, I have not found a way to make them proxy pass the traffic to $requesthostname, it seems like you always need to specify backends to which you pass the traffic.

While inspecting HTTPS traffic on my local machine using mitmproxy, I realized that it behaves as I desire, in that it forwards all HTTPS requests to the corresponding hostnames. However, as I cannot install mitmproxy’s CA certificate on my smart tv, I cannot use it for this purpose.

Does anybody know a proxy software that serves my purpose, or a way to configure one of the proxyservers I mentioned in such a way that it behaves in such a manner?

Help is greatly appreciated, thanks in advance

nginx: https with two sni certs but server names but the same configuration. Can I use a server block?

I often run into the following problem.

I have an nginx server that serves two host names through https on the same IP and the same port. Each hostname has its own certificate.

What I'm doing so far is having two settings:

server {
    listen              443 ssl;
    server_name         www.example1.com;
    ssl_certificate     www.example1.com.crt;
    ssl_certificate_key www.example1.com.key;
    ssl_protocols       ...;
    ssl_ciphers         ...;
    ...
}

Y

server {
    listen              443 ssl;
    server_name         www.example2.com;
    ssl_certificate     www.example2.com.crt;
    ssl_certificate_key www.example2.com.key;
    ssl_protocols       ...;
    ssl_ciphers         ...;
    ...
}

Is there a trick to do this on a single server block?

The reason I am asking is that both servers share, apart from the name and the certificate, exactly the same configuration.

What I do so far is:

server {
    listen              443 ssl;
    server_name         www.example1.com;
    ssl_certificate     www.example1.com.crt;
    ssl_certificate_key www.example1.com.key;
    include /etc/nginx/common_config/example1_and_2/*;
}

server {
    listen              443 ssl;
    server_name         www.example2.com;
    ssl_certificate     www.example2.com.crt;
    ssl_certificate_key www.example2.com.key;
    include /etc/nginx/common_config/example1_and_2/*;
}

It can improve? Are there any standard recommendations?
If this is good, is there at least a recommendation for the path to such common configuration files?

ssl: Nginx selective TLS transfer reverse proxy based on SNI

I have an IoT device system behind a NAT, so they are not accessible from the public Internet (although it is desirable).
To overcome this, I tied them to a VPN, with a member exposed to the public Internet to act as a gateway.
The VPN has an internal domain configured, and each member of the network has a subdomain based on a unique ID (we go with the MAC address), like this: 12a4f81ead4e.vpn.example.com

I want to create a reverse proxy in the Gatway to proxy requests, running nginx.

The plan is to create a DNS record for the gateway, *.gateway.com, and the route traffic (ahem, proxy) that goes to / from 12a4f81ead4e.gateway.com to 12a4f81ead4e.vpn.example.com. And then the end user would only need to write 12a4f81ead4e.gateway.com in your browser to access your device.
I would like to use nginx, since the gateway is already running nginx for other purposes.

I hope HTTP requests are easy and can be done with a carefully designed nginx proxy_pass directive.

But what about HTTPS requests? As I understand it, nginx now implements the SNI-based TLS handover, but all the examples I've seen so far create a static map to … map the incoming SNI well to an upstream target:

stream {
  map $ssl_preread_server_name $selected_upstream {
    example.org upstream_1;
    example.net upstream_2;
    example.com upstream_3;
    default upstream_4;
  }
  upstream upstream_1 { server 10.0.0.1:443; }
  upstream upstream_2 { server 10.0.0.2:443; }
  upstream upstream_3 { server 10.0.0.3:443; }
  upstream upstream_4 { server 10.0.0.4:443; }
  server {
    listen 10.0.0.5:443;
    proxy_pass $selected_upstream;
    ssl_preread on;
  }
}

The problem is that the devices are dynamically added / removed from the VPN, and I don't want to rewrite the nginx configuration files all the time. If it is possible to read the map of a file, that is a step in the right direction, although I think that nginx would need to be reloaded every time it changes, which raises permission issues, which could be avoided with sudo rules, of course, but not best solution.

Also, I just want the proxy requests to reach *.gateway.com, and the server other https requests normally to existing vhosts. If possible, I would like to avoid terminating the SSL connection. It is not really a difficult requirement, but I would like to implement it that way if it were technically feasible. Also just for the kicks.

I'm fine listening internally on an alternate port for the other vhosts, I did something similar for HTTP when I wanted to establish a "global" location, moved all HTTP vhosts to port 81 and implemented a global vhost on port 80 that served the location " global ", and proxy everything else to port 81. 🙂

So … What I would need is something like this (obviously it doesn't work):

stream {
  map $ssl_preread_server_name $selected_upstream {
    (.*).gateway.com $1.vpn.example.com;
    default normal_serve;
  }

  upstream normal_serve { server 127.0.0.1:8443; }

  server {
    listen 0.0.0.0:443;
    proxy_pass $selected_upstream;
    ssl_preread on;
  }

  server {
    listen 127.0.0.1:8443;
    server_name other.website.com;

    (...)
  }
}

Certificate: ISP that blocks the SNI extension (Server Name Identifier) ​​in Windows 10 but not on Server 2016

Out of curiosity, I noticed that my ISP (talktalk – UK) was able to block certain websites using the SNI Extension, however, only from Windows 10. When trying to access the same website since Server 2016, it succeeds.

I captured the traffic using wireshark from a Windows 10 VM and a VM Server 2016 and noticed the following differences in the TLS client greeting package. It is registered using FireFox, although any browser has the same result.

Can anyone advise? There seems to be a difference in the initial version of TLS.

Windows 10 (blocked by ISP):

Transport Layer Security
TLSv1 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: 512
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        Length: 508
        Version: TLS 1.2 (0x0303)
        Random: 182ee4b40150007b6ee7d849f95f5bac687ec50b700f64e5…
            GMT Unix Time: Nov  9, 1982 21:46:28.000000000 GMT Standard Time
            Random Bytes: 0150007b6ee7d849f95f5bac687ec50b700f64e50dd805cc…
        Session ID Length: 32
        Session ID: 72a08438398989047259317a73d22dd941bf848fff0e7257…
        Cipher Suites Length: 36
        Cipher Suites (18 suites)
            Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
            Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
            Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
            Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
            Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
        Compression Methods Length: 1
        Compression Methods (1 method)
            Compression Method: null (0)
        Extensions Length: 399
        Extension: server_name (len=13)
            Type: server_name (0)
            Length: 13
            Server Name Indication extension
                Server Name list length: 11
                Server Name Type: host_name (0)
                Server Name length: 8
                Server Name: rarbg.to
        Extension: extended_master_secret (len=0)
            Type: extended_master_secret (23)
            Length: 0
        Extension: renegotiation_info (len=1)
            Type: renegotiation_info (65281)
            Length: 1
            Renegotiation Info extension
                Renegotiation info extension length: 0
        Extension: supported_groups (len=14)
            Type: supported_groups (10)
            Length: 14
            Supported Groups List Length: 12
            Supported Groups (6 groups)
                Supported Group: x25519 (0x001d)
                Supported Group: secp256r1 (0x0017)
                Supported Group: secp384r1 (0x0018)
                Supported Group: secp521r1 (0x0019)
                Supported Group: ffdhe2048 (0x0100)
                Supported Group: ffdhe3072 (0x0101)
        Extension: ec_point_formats (len=2)
            Type: ec_point_formats (11)
            Length: 2
            EC point formats Length: 1
            Elliptic curves point formats (1)
                EC point format: uncompressed (0)
        Extension: session_ticket (len=0)
            Type: session_ticket (35)
            Length: 0
            Data (0 bytes)
        Extension: application_layer_protocol_negotiation (len=14)
            Type: application_layer_protocol_negotiation (16)
            Length: 14
            ALPN Extension Length: 12
            ALPN Protocol
                ALPN string length: 2
                ALPN Next Protocol: h2
                ALPN string length: 8
                ALPN Next Protocol: http/1.1
        Extension: status_request (len=5)
            Type: status_request (5)
            Length: 5
            Certificate Status Type: OCSP (1)
            Responder ID list Length: 0
            Request Extensions Length: 0
        Extension: key_share (len=107)
            Type: key_share (51)
            Length: 107
            Key Share extension
                Client Key Share Length: 105
                Key Share Entry: Group: x25519, Key Exchange length: 32
                    Group: x25519 (29)
                    Key Exchange Length: 32
                    Key Exchange: 078fdff07806eb707ef0cf0826908e7b85da6dd2041f855d…
                Key Share Entry: Group: secp256r1, Key Exchange length: 65
                    Group: secp256r1 (23)
                    Key Exchange Length: 65
                    Key Exchange: 0415220711d4bb416d47074ca2de7ec7ba4bd610bec96747…
        Extension: supported_versions (len=9)
            Type: supported_versions (43)
            Length: 9
            Supported Versions length: 8
            Supported Version: TLS 1.3 (0x0304)
            Supported Version: TLS 1.2 (0x0303)
            Supported Version: TLS 1.1 (0x0302)
            Supported Version: TLS 1.0 (0x0301)
        Extension: signature_algorithms (len=24)
            Type: signature_algorithms (13)
            Length: 24
            Signature Hash Algorithms Length: 22
            Signature Hash Algorithms (11 algorithms)
                Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                    Signature Hash Algorithm Hash: SHA256 (4)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                    Signature Hash Algorithm Hash: SHA384 (5)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                    Signature Hash Algorithm Hash: SHA512 (6)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (4)
                Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (5)
                Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (6)
                Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                    Signature Hash Algorithm Hash: SHA256 (4)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                    Signature Hash Algorithm Hash: SHA384 (5)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                    Signature Hash Algorithm Hash: SHA512 (6)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Algorithm: ecdsa_sha1 (0x0203)
                    Signature Hash Algorithm Hash: SHA1 (2)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                    Signature Hash Algorithm Hash: SHA1 (2)
                    Signature Hash Algorithm Signature: RSA (1)
        Extension: psk_key_exchange_modes (len=2)
            Type: psk_key_exchange_modes (45)
            Length: 2
            PSK Key Exchange Modes Length: 1
            PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)
        Extension: record_size_limit (len=2)
            Type: record_size_limit (28)
            Length: 2
            Record Size Limit: 16385
        Extension: padding (len=150)
            Type: padding (21)
            Length: 150
            Padding Data: 000000000000000000000000000000000000000000000000…

Server 2016 (allowed)

Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: 512
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        Length: 508
        Version: TLS 1.2 (0x0303)
        Random: 1867472afaf40a1111cf68f2fd10f5f808e0b411dcf0f5b4…
            GMT Unix Time: Dec 22, 1982 16:13:30.000000000 GMT Standard Time
            Random Bytes: faf40a1111cf68f2fd10f5f808e0b411dcf0f5b45e5f0357…
        Session ID Length: 32
        Session ID: 72d9204a4438425364339b8d8a9a8f878f6f23341000f5a9…
        Cipher Suites Length: 36
        Cipher Suites (18 suites)
            Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
            Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
            Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
            Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
            Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
        Compression Methods Length: 1
        Compression Methods (1 method)
            Compression Method: null (0)
        Extensions Length: 399
        Extension: server_name (len=13)
            Type: server_name (0)
            Length: 13
            Server Name Indication extension
                Server Name list length: 11
                Server Name Type: host_name (0)
                Server Name length: 8
                Server Name: rarbg.to
        Extension: extended_master_secret (len=0)
            Type: extended_master_secret (23)
            Length: 0
        Extension: renegotiation_info (len=1)
            Type: renegotiation_info (65281)
            Length: 1
            Renegotiation Info extension
                Renegotiation info extension length: 0
        Extension: supported_groups (len=14)
            Type: supported_groups (10)
            Length: 14
            Supported Groups List Length: 12
            Supported Groups (6 groups)
                Supported Group: x25519 (0x001d)
                Supported Group: secp256r1 (0x0017)
                Supported Group: secp384r1 (0x0018)
                Supported Group: secp521r1 (0x0019)
                Supported Group: ffdhe2048 (0x0100)
                Supported Group: ffdhe3072 (0x0101)
        Extension: ec_point_formats (len=2)
            Type: ec_point_formats (11)
            Length: 2
            EC point formats Length: 1
            Elliptic curves point formats (1)
                EC point format: uncompressed (0)
        Extension: session_ticket (len=0)
            Type: session_ticket (35)
            Length: 0
            Data (0 bytes)
        Extension: application_layer_protocol_negotiation (len=14)
            Type: application_layer_protocol_negotiation (16)
            Length: 14
            ALPN Extension Length: 12
            ALPN Protocol
                ALPN string length: 2
                ALPN Next Protocol: h2
                ALPN string length: 8
                ALPN Next Protocol: http/1.1
        Extension: status_request (len=5)
            Type: status_request (5)
            Length: 5
            Certificate Status Type: OCSP (1)
            Responder ID list Length: 0
            Request Extensions Length: 0
        Extension: key_share (len=107)
            Type: key_share (51)
            Length: 107
            Key Share extension
                Client Key Share Length: 105
                Key Share Entry: Group: x25519, Key Exchange length: 32
                    Group: x25519 (29)
                    Key Exchange Length: 32
                    Key Exchange: d7fa97d7b3f594dcafea8cd2df0d260b3b13aa95175aec6d…
                Key Share Entry: Group: secp256r1, Key Exchange length: 65
                    Group: secp256r1 (23)
                    Key Exchange Length: 65
                    Key Exchange: 048a12885f2de13477cc7dcdb43f450576cdb92551f48144…
        Extension: supported_versions (len=9)
            Type: supported_versions (43)
            Length: 9
            Supported Versions length: 8
            Supported Version: TLS 1.3 (0x0304)
            Supported Version: TLS 1.2 (0x0303)
            Supported Version: TLS 1.1 (0x0302)
            Supported Version: TLS 1.0 (0x0301)
        Extension: signature_algorithms (len=24)
            Type: signature_algorithms (13)
            Length: 24
            Signature Hash Algorithms Length: 22
            Signature Hash Algorithms (11 algorithms)
                Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                    Signature Hash Algorithm Hash: SHA256 (4)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                    Signature Hash Algorithm Hash: SHA384 (5)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                    Signature Hash Algorithm Hash: SHA512 (6)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (4)
                Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (5)
                Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (6)
                Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                    Signature Hash Algorithm Hash: SHA256 (4)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                    Signature Hash Algorithm Hash: SHA384 (5)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                    Signature Hash Algorithm Hash: SHA512 (6)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Algorithm: ecdsa_sha1 (0x0203)
                    Signature Hash Algorithm Hash: SHA1 (2)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                    Signature Hash Algorithm Hash: SHA1 (2)
                    Signature Hash Algorithm Signature: RSA (1)
        Extension: psk_key_exchange_modes (len=2)
            Type: psk_key_exchange_modes (45)
            Length: 2
            PSK Key Exchange Modes Length: 1
            PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)
        Extension: record_size_limit (len=2)
            Type: record_size_limit (28)
            Length: 2
            Record Size Limit: 16385
        Extension: padding (len=150)
            Type: padding (21)
            Length: 150
            Padding Data: 000000000000000000000000000000000000000000000000…

ssl: hostname provided through SNI, but no hostname is provided in the HTTP request

I received this error in the apache registry:

[Mon Oct 28 16:11:33.074606 2019] [ssl:error] [pid 30553] AH02031: Hostname mywebsite.com provided via SNI, but no hostname provided in HTTP request

I couldn't find any information about it.
What does it mean?

The website did not respond and was at 100% CPU for one hour, I had to stop it from the console, when I look at the error log, I only saw the previous error, which was at the exact moment that the CPU became 100 %

I suspect that it could be some kind of hacker attack, since it is a message similar to Conflict between domains provided by SNI and HTTP

virtualhost – Centos 6.9 Multiple SSL SNI in one IP address

I am using a CentOS 6.9 VPS, where the Parallels Panel can configure multiple domains on a single IP address. According to the documentation, SNI seems to work as Websites and domains >> SSL / TLS certificates It is not hidden and can be used to assign Certificates.

The .conf vhost files (15704622940.10347800_httpd.conf and 15704622940.10347800_nginx.conf) are generated in

/ var / www / vhosts / system // conf / and they contain the correct routes to the CA and the certificates, so I know that parallels are saving separate routes for each domain.

But nevertheless:

Domain 2 when requested online tries to serve the certificate of Domain 1 and when omitted in Chrome complains of multiple redirects, but with SSL disabled it works perfectly (apart from the obvious error of the SSL certificate), and Domain 1 when requested , try to serve Domain 1 certificate.

Vhost files are indicating the same IP but with different front ports that you would expect and contain a well-formed section depending on the options specified in parallel.

Examples:

:7080>
  ServerName ":80"
  ServerAlias  ""
  ServerAlias  "ipv4..com"
  UseCanonicalName Off


:7081>
  ServerName ":80"
  ServerAlias  ""
  ServerAlias  "ipv4..com"
  UseCanonicalName Off

I am a bit stuck on how to solve this, so any suggestions would be appreciated.

DreamProxies - Cheapest USA Elite Private Proxies 100 Cheap USA Private Proxies Buy 200 Cheap USA Private Proxies 400 Best Private Proxies Cheap 1000 USA Private Proxies 2000 USA Private Proxies 5000 Cheap USA Private Proxies ExtraProxies.com - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive.com Proxies-free.com New Proxy Lists Every Day Proxies123.com Best Quality USA Private Proxies