v.20.9Improvement

Enable SNI support for secure ClickHouse server connections behind TLS proxy

Published: November 25, 2025

Make it possible to connect to clickhouse-server secure endpoint which requires SNI. This is possible when clickhouse-server is hosted behind TLS proxy. #16938 (filimonov).

Added support for connecting to clickhouse-server secure endpoints that require Server Name Indication (SNI), enabling compatibility when clickhouse-server is hosted behind a TLS proxy.

Why it matters

This feature addresses the need to establish secure connections to clickhouse-server instances that are protected by TLS proxies requiring SNI. It solves connectivity issues in environments where TLS termination and routing depend on the SNI extension, enhancing security and deployment flexibility.

How to use it

When connecting to a clickhouse-server secured behind a TLS proxy that requires SNI, ensure that the client connection includes the appropriate SNI hostname. The ClickHouse client and drivers now automatically support this feature when configured to connect to secure endpoints requiring SNI.

Related resources

Pull Request #16938