WildFly 多个域和 SSL 证书 [英] WildFly multiple domains and SSL certificates

问题描述

我有两个不同的域

• example1.com
• example2.com

每个域都有自己的 SSL 证书.

Each domain has its own SSL certificate.

我现在要做的是将两个域用于同一个 WildFly 实例，支持 SSL.

What I am trying to do now, is using both domains for the same WildFly instance, supporting SSL.

WildFly 文档指出，我只能引用密钥库中的单个证书.因此，我不能只定义一个 和一个包含两个证书的密钥库.

The WildFly documentation states, that I can only reference a single certificate in a keystore. Thus, I can't just define a single <security-realm> with one keystore containing both certificates.

因此，我定义了两个不同的.每个域一个.

Thus, I defined two different <security-realm>. One for each domain.

  <security-realm name="RealmExample1">
                <server-identities>
                    <ssl>
                        <keystore path="example1.jks" keystore-password="secret" />
                    </ssl>
                </server-identities>
                ...
            </security-realm>

  <security-realm name="RealmExample2">
                <server-identities>
                    <ssl>
                        <keystore path="example2.jks" keystore-password="secret2" />
                    </ssl>
                </server-identities>
                ...
            </security-realm>

但是，我无法向单个主机添加两个安全域.

However, I cannot add two security domains to a single host.

<server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https-ext"/>
                <https-listener name="default-ssl" security-realm="UndertowRealm" socket-binding="https"/>
                <host name="default-host" alias="localhost">
                    <filter-ref name="central-basic-auth"/>
                </host>
            </server>

现在，如果我为每个域定义一个服务器，我将无法引用相同的 http/https 侦听器绑定，因为端口被阻止了.

Now, if I define a server for each domain, I cannot reference the same http/https listener binding, since the ports are blocked.

目前我找到的唯一解决方案是拥有两个公共 IP 地址并为每个接口定义两个接口和一个 http/https 套接字绑定.然后我可以定义两个具有不同别名和不同套接字绑定的服务器.

The only solution I found so far, is having two public IP adresses and defining two interfaces and a http/https socket binding for each interface. Then I am able to define two servers with a different alias and different socket bindings.

遗憾的是，目前 WildFly 不支持 SNI.

As of now, WildFly unfortunately does not support SNI.

还有其他可能的解决方案吗?

Is there any other possible solution?

推荐答案

虽然这会使您的部署变得有点复杂，但您是否考虑过将 Apache httpd 放在您的 Wildfly 服务器之前?这并不难，而且它确实支持 SNI.您必须更改 Apache 的证书，但是，使用 Apache 虚拟主机，您可能会遇到以下情况:

While it would complicate your deployment a bit, have you considered putting Apache httpd in front of your Wildfly server? It would not be difficult to do and it does support SNI. You would have to change your certificates for Apache but then, with Apache virtual hosting you could have something like:

<VirtualHost _default_:443>
    ServerName www.firstdomain.com
    ProxyPreserveHost on
    ProxyPass / http://localhost:8080/
    ProxyTimeout 360
</VirtualHost>

在第一个虚拟主机文件和:

in the first virtual host file and:

<VirtualHost _default_:443>
    ServerName www.seconddomain.com
    ProxyPreserveHost on
    ProxyPass / http://localhost:9080/ # if it is a different instance or
    ProxyPass / http://localhost:8080/app2 # if it the same instance, different webapp
    ProxyTimeout 360
</VirtualHost>

同样，问题在于您需要维护另一个进程，并且您需要为 Apache 设置 SSL.但是您可以使用 Apache 来执行 SSL，如果您愿意，还可以使用以下内容:

Again, the issues are that you have another process to maintain and you'll need to setup SSL for Apache. But you can then use Apache to do SSL and, if you'd like, things like:

Header set Content-Security-Policy ...
Header set X-XSS-Protection "1; mode=block"

这个设置对我来说很适合 Tomcat 或 Apache 背后的 Wildfly.

This setup has worked well for me with either Tomcat or Wildfly behind Apache.

这篇关于WildFly 多个域和 SSL 证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！