在单个 tomcat 实例中使用多个 SSL 证书 [英] Using multiple SSL certificates in single tomcat instance

问题描述

我知道 tomcat 可以通过设置多个连接器侦听不同的 IP 来处理多个 SSL 证书，但是是否可以将其设置在同一个 IP 上?

I know that tomcat can handle multiple SSL certificates by setting up multiple Connectors listening on different IP's, but is it possible to set it up on the same IP?

情况是我们有多个 Web 应用程序在单个 tomcat 实例中运行.我们的服务器只有 1 个静态 IP.Tomcat 设置为具有虚拟服务器，因此根据域，它为不同的应用程序提供服务.但是，如果我们希望在这些应用程序中的更多应用程序中使用 SSL，我预测我们可能会遇到麻烦.

The situation is that we have multiple web applications running in a single tomcat instance. Our server has only 1 static IP. Tomcat is set up to have Virtual Servers, so depending on the domain it serves a different app. However, if we want SSL in more that one of these apps, I predict we might run into trouble.

有没有人在这个领域有更多的经验?

Does anyone have more experience in this field?

推荐答案

为了能够在同一 IP 地址和端口上使用多个证书，您需要服务器名称指示支持.不幸的是，这是在 Java 7 中引入的，仅在客户端.

To be able to use multiple certificates on the same IP address and port, you need Server Name Indication support. Unfortunately, this was introduced in Java 7, only on the client side.

(客户端仍然存在 SNI 支持问题，最明显的原因是在 Win XP、Java 6 及以下版本和某些移动浏览器上缺乏任何版本的 IE 支持.)

(There are still problems w.r.t. SNI support on the client side, most notably because of lack of support from any version of IE on Win XP, Java 6 and below, and some mobile browsers.)

对此的解决方法是使用支持多个主机名的单个证书.执行此操作的首选方法是拥有一个包含多个主题备用名称 (SAN) 条目的证书.否则，如果名称具有模式，则通配符证书可能是合适的(例如，*.example.com 用于 www.example.com 和 secure.example.com).

A workaround for this is to use a single certificate that supports multiple host names. The preferred way to do this is to have a certificate with multiple Subject Alternative Name (SAN) entries. Otherwise, if the names have a pattern, a wildcard certificate may be suitable (e.g. *.example.com for www.example.com and secure.example.com).

Apache Httpd 支持 SNI，因此您可以通过使用不同的 VirtualHost 来解决您的问题s 代表您要服务的每个主机名，并使用反向代理到每个主机的不同 Tomcat 配置.

Apache Httpd has support for SNI, so you may be able to solve your problem by using distinct VirtualHosts for each host name you want to serve and use a reverse proxy to a different Tomcat configuration for each host.

这篇关于在单个 tomcat 实例中使用多个 SSL 证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！