SafeLine
SafeLine copied to clipboard
chaitin
[Suggestion] Support for Dynamic SNI-based Certificate Loading for Large Multi-Domain Deployments
What would you like to be added or improved?
Hello Safeline team,
We’re evaluating Safeline for a large-scale multi-tenant e-commerce platform (similar to Shopify) with ~20,000 custom domains for shops. Each domain uses its own TLS certificate.
From the documentation, it appears that certificates must currently be uploaded and bound to specific domains via the dashboard or file directory, with automatic reloads supported since v7.2.0.
For our use case, managing 20k certificates manually or preloading them in the config is not practical. What we need is:
Dynamic SNI-based certificate selection – During the TLS handshake, Safeline would read the ssl_server_name (SNI) and load the matching certificate from a store (filesystem, Redis, database, etc.) without having to predefine each domain in the configuration.
On-demand loading – Certificates would be fetched/loaded on first request and cached in memory for performance.
Rule selection based on SNI – Similar dynamic matching for applying WAF rules per domain without 20,000 individual server blocks.
Questions:
Does Safeline currently support true dynamic SNI-based certificate loading in OpenResty/Lua without predefining all domains?
If not, is this feature on the roadmap or something you would consider supporting?
Are there performance considerations or known limitations for handling very large numbers of SNI hostnames?
Why is it needed?
Our platform hosts ~20,000 custom shop domains for different tenants (similar to Shopify). Each tenant brings their own domain and TLS certificate. Currently, Safeline requires that each domain and its certificate be explicitly registered in the configuration or through the dashboard.
At our scale, this is operationally challenging because:
Manual overhead – Managing thousands of certificate uploads and domain mappings through the dashboard is not feasible.
Onboarding latency – Every new tenant domain requires a configuration update before it can be served securely, slowing down domain activation.
Reload impact – Large configuration files with thousands of server blocks cause longer reload times and higher memory usage.
Cloud-native scaling – In dynamic or containerized deployments, domains can be added or removed at any time, so configuration must update instantly without a full restart.
Dynamic SNI-based certificate loading would allow Safeline to select the correct certificate and rules for any domain at TLS handshake time without preloading every domain in the config. This is critical for large multi-tenant SaaS platforms where domain counts are high and constantly changing.
