Tomcat托管具有多个SSL证书的多个虚拟主机 [英] Tomcat hosting multiple virtual host with multiple SSL certificate
问题描述
例如,我有一台使用Tomcat 7托管多个网站的服务器
I have a server hosting multiple websites using Tomcat 7, for example
- a.abc.com
- b.abc.com
- c.def.com
- d.def.com
使用tomcat的虚拟托管功能,因此它们每个都可能属于不同的webapps文件夹.
Using tomcat's virtual hosting feature, so they each may belong to different webapps folder.
我们现在正在尝试对每个站点实施Https.因此,基本上我们获得了2个通配符证书* .abc.com和* .def.com
We're now trying to implement Https to each of the sites. So basically we got 2 wildcard certificates, *.abc.com, and *.def.com
我一直在寻找设置方法,但发现:
I've been looking for the ways to setup and I found:
- This where it taught me how to setup SSL with tomcat
- This where it taught me how to setup multiple Host with different SSL pointing at different IP address
第二个示例最接近我的需求,但问题是我所有的虚拟主机都具有相同的IP地址,唯一的区别在于域名本身,更糟糕的是,它们中的大多数甚至都有几个不同的别名(例如:我的d.def.com可以将e.ghi.com作为其别名之一.)
Second example is closest to what I need but the problem is all of my virtual hosts are of same IP address, the only difference is on the domain name itself, worse where most of them have a couple different alias even (eg: my d.def.com could have e.ghi.com as one of its alias).
所以我的问题是,我是否可以为所有虚拟主机设置多个SSL证书?
So my question would be, is there anyway I could setup my multiple SSL certificates for all my virtual hosts?
推荐答案
恐怕无法通过tomcat满足您的所有要求:
I'm afraid it's not possible to fulfill all your requirements with tomcat:
- 多个域
- 两个SSL证书
- 唯一的IP地址
- 标准SSL端口(我已经假设了)
Tomcat SSL配置在config.xml
Tomcat SSL Configuration is defined in <Connector> element at config.xml
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
每个连接器都需要一个port属性.请参见 HTTP连接器文档
Each connector requires a port attribute. See definition in HTTP Connector documentation
此连接器将在其上创建服务器套接字并等待传入连接的TCP端口号. 您的操作系统将仅允许一个服务器应用程序侦听特定IP地址上的特定端口号.
因此,您不能使用同一端口定义两个连接器,因此无法配置不同的SSL证书.
Therefore you can't define two connectors using the same port, and then it is not possible to configure different SSL certificates.
-
多个IP地址:
address属性可配置用于在指定端口上侦听的地址.使用SSL证书为每个主域设置IP,并为其配置Connector
Several IP's: The
addressattribute configures which address will be used for listening on the specified port. Set an IP per main domain using a SSL certificate and configure aConnectorfor it
不同的端口:* .abc.com为443,*.def.com为444,依此类推
Different ports: 443 for *.abc.com, 444 for *.def.com, and so on
SSL代理:在tomcat前面部署诸如Apache或Nginx的代理服务器.代理仅处理SSL协商和虚拟主机.所有流量都通过纯HTTP重定向到Tomcat.
SSL Proxy: Deploy a proxy server like Apache or Nginx in front of tomcat. The proxy only deals with SSL negotiation and virtual hosts. All the traffic is redirected to Tomcat in plain HTTP.
仅作为示例,使用 Apache mod_ssl +和tomcat连接器 mod_JK 您所请求的配置很简单
Just as an example using Apache mod_ssl + and the tomcat connector mod_JK your requested configuration is simple
listen 443
<VirtualHost *:443>
ServerName a.abc.com:443
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile "/home/certs/abc.com.crt"
SSLCertificateKeyFile "/home/certs/abc.com.key"
SSLCertificateChainFile "/home/certs/abc.com.ca-bundle"
SSLOptions +StdEnvVars +ExportCertData
ErrorLog "/var/logs/error_abc_443.log"
TransferLog "/var/logs/error_abc_443.log"
JkMount /* worker1
</VirtualHost>
<VirtualHost *:443>
ServerName c.def.com:443
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile "/home/certs/def.com.crt"
SSLCertificateKeyFile "/home/certs/def.com.key"
SSLCertificateChainFile "/home/certs/def.com.ca-bundle"
SSLOptions +StdEnvVars +ExportCertData
ErrorLog "/var/logs/error_def.log"
TransferLog "/var/logs/error_def.log"
JkMount /* worker2
</VirtualHost>
这篇关于Tomcat托管具有多个SSL证书的多个虚拟主机的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
