具有多个SSL证书(SNI)的CloudBees上的多租户应用程序 [英] Multi-tenant application on CloudBees with multiple SSL certificates (SNI)
问题描述
我正在使用Play框架构建一个多租户应用程序,并使用CloudBees托管它.该网站的主要功能是可以在注册过程中代表我们的客户购买SSL证书.
I'm building a multi-tenant application using the Play framework and hosting it with CloudBees. A key feature the site is the ability to purchase SSL certificates on behalf of our customers during the sign-up process.
- 注册时,用户向我们提供其自定义域名(即customer.com)
- 我们创建客户帐户,并将customer.com与他们的客户ID相关联
- 我们为客户端购买了SSL证书,并在我们的服务器上自动对其进行了配置
客户端只需要担心将其域名指向正确的IP地址,而不必购买自己的SSL证书.
The client should only have to worry about pointing their domain name to the right IP address, not purchasing their own SSL certificate.
我们需要在运行时提供支持:
What we need to support at run-time:
- 解决 http://customer.com 或 http://customer.ourdomain.com 有一个自定义域
- 解决 https://customer.com/payment , https://www.customer.com/payment 或 https://customer.ourdomain.com/payment 他们的域设置(子域或自定义域)
我正在尝试确定是否可以根据我们的SSL需求立即使用CloudBees.我们假设SNI会满足我们的要求,但是考虑到我们可能需要在单个IP上支持数百或数千个SSL证书,我正在努力确定最佳配置.
I'm trying to figure out if it's possible to use CloudBees out-of-the-box with our SSL needs. We're assuming that SNI will suit our requirements, but I'm struggling to determine the optimal configuration considering that we may need to support hundreds or thousands of SSL certificates on a single IP.
我的问题是:
- 我们有什么选择来支持这么多的SSL证书?应该继续使用SNI和AWS Elastic Load Balancing探索CloudBees,还是我脱离常规? (ELB仅支持10个现成的证书.)在注册过程中,对于我们的客户而言,理想的过程将完全自动化.
任何建议都值得赞赏.
推荐答案
您在使用SNI上步入正轨-但目前尚无办法在CloudBees上支持它-这是一个有点不寻常的请求(但对您的用户来说是个好主意).
You are on the right track with SNI - but there isn't a way to support that on CloudBees right now - it is a slightly unusual request (but a nice idea for your users).
如果您的客户正在付款-您可以根据需要通过编程方式为他们创建SSL代理服务-然后将SSL密钥安装到其中(但这意味着每个人都有自己的身份,而不是SNI多租户-不太符合您的意愿) .
If your customers are paying - you can programmatically created them an SSL revproxy service as needed - and then install the SSL key into that (but it means each one gets their own, not SNI multitenant - so not quite what you want).
所以没有-开箱即用,至少要等到我们支持SNI才行(目前还没有对SNI的需求,并且对SNI有一些阻力-但这种阻力应该消失了!).
So no - not out of the box, at least not until we support SNI (there hasn't been demand for it just yet, and there has been some resistance towards SNI - but that resistance should be going away!).
这篇关于具有多个SSL证书(SNI)的CloudBees上的多租户应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
