WildFly multiple domains and SSL certificates

时光毁灭记忆、已成空白 提交于 2019-12-09 12:16:06

问题


I have two different domains

  • example1.com
  • example2.com

Each domain has its own SSL certificate.

What I am trying to do now, is using both domains for the same WildFly instance, supporting SSL.

The WildFly documentation states, that I can only reference a single certificate in a keystore. Thus, I can't just define a single <security-realm> with one keystore containing both certificates.

Thus, I defined two different <security-realm>. One for each domain.

  <security-realm name="RealmExample1">
                <server-identities>
                    <ssl>
                        <keystore path="example1.jks" keystore-password="secret" />
                    </ssl>
                </server-identities>
                ...
            </security-realm>

  <security-realm name="RealmExample2">
                <server-identities>
                    <ssl>
                        <keystore path="example2.jks" keystore-password="secret2" />
                    </ssl>
                </server-identities>
                ...
            </security-realm>

However, I cannot add two security domains to a single host.

<server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https-ext"/>
                <https-listener name="default-ssl" security-realm="UndertowRealm" socket-binding="https"/>
                <host name="default-host" alias="localhost">
                    <filter-ref name="central-basic-auth"/>
                </host>
            </server>

Now, if I define a server for each domain, I cannot reference the same http/https listener binding, since the ports are blocked.

The only solution I found so far, is having two public IP adresses and defining two interfaces and a http/https socket binding for each interface. Then I am able to define two servers with a different alias and different socket bindings.

As of now, WildFly unfortunately does not support SNI.

Is there any other possible solution?


回答1:


While it would complicate your deployment a bit, have you considered putting Apache httpd in front of your Wildfly server? It would not be difficult to do and it does support SNI. You would have to change your certificates for Apache but then, with Apache virtual hosting you could have something like:

<VirtualHost _default_:443>
    ServerName www.firstdomain.com
    ProxyPreserveHost on
    ProxyPass / http://localhost:8080/
    ProxyTimeout 360
</VirtualHost>

in the first virtual host file and:

<VirtualHost _default_:443>
    ServerName www.seconddomain.com
    ProxyPreserveHost on
    ProxyPass / http://localhost:9080/ # if it is a different instance or
    ProxyPass / http://localhost:8080/app2 # if it the same instance, different webapp
    ProxyTimeout 360
</VirtualHost>

Again, the issues are that you have another process to maintain and you'll need to setup SSL for Apache. But you can then use Apache to do SSL and, if you'd like, things like:

Header set Content-Security-Policy ...
Header set X-XSS-Protection "1; mode=block"

This setup has worked well for me with either Tomcat or Wildfly behind Apache.




回答2:


Sorry for necroposting, but there is a simpler option - just add several domains to one certificate.

The obvious way with wildcard certificate.

But also Let's Encrypt allows to specify several domains for one certificate. And it works fine, no need to wait for free wildcard certificates

sh /root/.acme.sh/acme.sh --issue -d yourdomain.com -d www.yourdomain.com -d more.yourdomain.com -w /opt/wildfly-10.1.0.Final/welcome-content


来源:https://stackoverflow.com/questions/37413682/wildfly-multiple-domains-and-ssl-certificates

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!