diff --git a/pingora-core/src/protocols/tls/boringssl_openssl/stream.rs b/pingora-core/src/protocols/tls/boringssl_openssl/stream.rs
index 894244c0..bb021926 100644
--- a/pingora-core/src/protocols/tls/boringssl_openssl/stream.rs
+++ b/pingora-core/src/protocols/tls/boringssl_openssl/stream.rs
@@ -209,7 +209,11 @@ impl SslDigest {
             None => (Vec::new(), None, None),
         };
 
-        SslDigest::new(cipher, ssl.version_str(), org, sn, cert_digest)
+        let sni = ssl
+            .servername(ssl::NameType::HOST_NAME)
+            .map(ToOwned::to_owned);
+
+        SslDigest::new(cipher, ssl.version_str(), org, sn, cert_digest, sni)
     }
 }
 
diff --git a/pingora-core/src/protocols/tls/digest.rs b/pingora-core/src/protocols/tls/digest.rs
index 58ecf3b6..765580c9 100644
--- a/pingora-core/src/protocols/tls/digest.rs
+++ b/pingora-core/src/protocols/tls/digest.rs
@@ -31,6 +31,8 @@ pub struct SslDigest {
     pub serial_number: Option<String>,
     /// The digest of the peer's certificate
     pub cert_digest: Vec<u8>,
+    /// The SNI (Server Name Indication) from the TLS handshake
+    pub sni: Option<String>,
     /// The user-defined TLS data
     pub extension: SslDigestExtension,
 }
@@ -43,6 +45,7 @@ impl SslDigest {
         organization: Option<String>,
         serial_number: Option<String>,
         cert_digest: Vec<u8>,
+        sni: Option<String>,
     ) -> Self
     where
         S: Into<Cow<'static, str>>,
@@ -53,6 +56,7 @@ impl SslDigest {
             organization,
             serial_number,
             cert_digest,
+            sni,
             extension: SslDigestExtension::default(),
         }
     }
diff --git a/pingora-core/src/protocols/tls/rustls/stream.rs b/pingora-core/src/protocols/tls/rustls/stream.rs
index f2a0ddae..10c65335 100644
--- a/pingora-core/src/protocols/tls/rustls/stream.rs
+++ b/pingora-core/src/protocols/tls/rustls/stream.rs
@@ -390,7 +390,19 @@ impl SslDigest {
             .map(|(organization, serial)| (organization, Some(serial)))
             .unwrap_or_default();
 
-        SslDigest::new(cipher, version, organization, serial_number, cert_digest)
+        let sni = match stream {
+            RusTlsStream::Server(s) => s.get_ref().1.server_name().map(ToOwned::to_owned),
+            _ => None,
+        };
+
+        SslDigest::new(
+            cipher,
+            version,
+            organization,
+            serial_number,
+            cert_digest,
+            sni,
+        )
     }
 }
 
diff --git a/pingora-core/src/protocols/tls/s2n/stream.rs b/pingora-core/src/protocols/tls/s2n/stream.rs
index 3f12ea44..b455b2e4 100644
--- a/pingora-core/src/protocols/tls/s2n/stream.rs
+++ b/pingora-core/src/protocols/tls/s2n/stream.rs
@@ -307,12 +307,15 @@ impl SslDigest {
             }
         }
 
+        let sni = conn.server_name().map(ToOwned::to_owned);
+
         SslDigest::new(
             cipher,
             version,
             organization,
             serial_number,
             cert_digest.unwrap_or_default(),
+            sni,
         )
     }
 }