Enable non-SNI clients

You are currently viewing version 1.15 of the Apigee hybrid documentation. For more information, seeSupported versions.

This topic explains how to enable non-SNI clients for use with Apigee hybrid.

How to configure a non-SNI client

This section explains how to enable support for non-SNI (Server Name Indication) clients in Apigee hybrid.

SNI defines how a TLS peer (client) will specify the hostnameit intends to connect to during the initial TLS handshake. SNI has been part of TLS since2003. Prior to SNI, when a TLS peer sent a HELLO to begin the handshake, the receiving peeralways responded with the same credentials. SNI was introduced to allow a singleload-balancer to support multiple distinct hostnames and credential sets for TLS connectionmanagement. SNI is now used by the vast majority of TLS clients.

There are exceptions. As one example, the Google Cloud Load Balancerwill use a non-SNI handshake to connect to backends.

If you want to configure your Apigee hybrid to be able to handle TLS handshakes that donot use SNI, either because your Apigee hybrid is a backend to a GoogleCloud Load Balancer, or because your Apigeehybrid must support some other non-SNI client, then you should follow the steps described below.Non-SNI negotiation will act as a fallback; Apigee hybrid will use it for any client that does notuse SNI.

  1. Create anApigeeRoute resource. Be sure thatenableNonSniClient is set totrue:
    apiVersion:apigee.cloud.google.com/v1alpha1kind:ApigeeRoutemetadata:name:ROUTE_NAMEnamespace:APIGEE_NAMESPACEspec:hostnames:-"*"ports:-number:443protocol:HTTPStls:credentialName:CREDENTIAL_NAMEmode:SIMPLE#optionalminProtocolVersion:TLS_AUTOselector:app:apigee-ingressgatewayenableNonSniClient:true

    Where:

    • ROUTE_NAME is the name you give to the custom resource (CR).
    • CREDENTIAL_NAME is the name of a Kubernetes Secret deployed to the cluster that contains TLS credentials for your virtualhost. You can find the credential name with the followingkubectl Command:
      kubectl -nAPIGEE_NAMESPACE get ApigeeRoutes -o=yaml | grep credentialName
    • hostnames must be set to the wildcard "*".Note:Do not create two ApigeeRoute objects with a wildcard "*" hostname.
  2. Open your overrides file and make the change described in the next step.
  3. For each environment group, add the ApigeeRoute name to theadditionalGateways property. For example:
    virtualhosts:- name: default    sslCertPath: ./certs/fullchain.pem    sslKeyPath: ./certs/privkey.pem    additionalGateways: ["ROUTE_NAME"]
  4. Save the CRD file. For example:ApigeeRoute.yaml
  5. Apply the CRD to the cluster:
    kubectl apply -f ApigeeRoute.yaml -nAPIGEE_NAMESPACE
  6. Apply the change tovirtualhosts. If you have set the$ENV_GROUP environment variable in your shell, you can use that in the following commands:
    helm upgrade$ENV_GROUP apigee-virtualhost/ \  --namespaceAPIGEE_NAMESPACE \  --atomic \  --set envgroup=$ENV_GROUP \  -fOVERRIDES_FILE.yaml
    Note: If you see an error sayingError: UPGRADE FAILED: "ENV_GROUP" has no deployed releases, replaceupgrade withinstall and try the command again.

Usage notes

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.