问题
I'm building a multi-tenant application using the Play framework and hosting it with CloudBees. A key feature the site is the ability to purchase SSL certificates on behalf of our customers during the sign-up process.
- On sign-up, the user provides us with their custom domain name (ie, customer.com)
- We create the client account and associate customer.com with their client ID
- We purchase the SSL certificate for our client and automatically configure it on our server
The client should only have to worry about pointing their domain name to the right IP address, not purchasing their own SSL certificate.
What we need to support at run-time:
- Resolve http://customer.com or http://www.customer.com for a typical request
- Resolve http://customer.ourdomain.com if the client does not have a custom domain
- Resolve https://customer.com/payment, https://www.customer.com/payment, or https://customer.ourdomain.com/payment during the billing process for our client's end-users depending on their domain setup (subdomain or custom domain)
I'm trying to figure out if it's possible to use CloudBees out-of-the-box with our SSL needs. We're assuming that SNI will suit our requirements, but I'm struggling to determine the optimal configuration considering that we may need to support hundreds or thousands of SSL certificates on a single IP.
My question is:
- What options do we have for supporting so many SSL certificates? Should continue exploring CloudBees with SNI and AWS Elastic Load Balancing or am I way off base? (ELB only supports 10 certificates out-of-the-box.) The ideal process will be completely automated for our client during sign-up.
Any advice is appreciated.
回答1:
CloudBees only offers dedicated SSL router to support SSL certificate. This can be fully automated using cloudbees SDK / API client. But you'll then need a router per SSL certificate. I don't know short term plan to support multiple certificate per router
回答2:
You are on the right track with SNI - but there isn't a way to support that on CloudBees right now - it is a slightly unusual request (but a nice idea for your users).
If your customers are paying - you can programmatically created them an SSL revproxy service as needed - and then install the SSL key into that (but it means each one gets their own, not SNI multitenant - so not quite what you want).
So no - not out of the box, at least not until we support SNI (there hasn't been demand for it just yet, and there has been some resistance towards SNI - but that resistance should be going away!).
来源:https://stackoverflow.com/questions/18708273/multi-tenant-application-on-cloudbees-with-multiple-ssl-certificates-sni