You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rory Kelly <ro...@fernsoftware.com> on 2015/03/16 13:53:23 UTC
Multiple SSL certificates on one Instance
Hey guys,
I’ve a bad feeling what I’m trying to do is impossible, and I’m going to
have to implement a different solution. Been hunting for an answer, but
couldn’t find anything definite.
I’m running Tomcat 8.0.18,
Java 1.7.0_75-b13,
Ubuntu 14.04.
I have multiple sites running on Virtual Hosts on the instance. For a bit
of background, I am intending on creating a 2-server load balanced system
using nginx as a balancer on virtual servers (Best I can do, given our
hosting/not possible to move away from it)
I need each site to be protected by its own SSL certificate, provided by
the client for each site.
Can I actually have multiple SSL certs with Tomcat Virtual Hosts, or am I
going to have to go learn nginx/httpd and provide it that way?
Thanks,
Rory
Re: Multiple SSL certificates on one Instance
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Stefan,
On 3/16/15 5:03 PM, Stefan Frei wrote:
> 2 points:
>
> configure the reverse proxy is simpler.
s/simpler/possible/
> tomcat may be harder to troubleshoot issues.
Tomcat can't even do SNI at this point.
> i would take the prxy to do that, in fact we use squid rev-proxy
> to solve exact the same problem.
It's nice not to have to introduce a reverse proxy unless it's
actually necessary. Tomcat should really support SNI.
- -chris
> 2015-03-16 14:16 GMT+01:00 Mark Thomas <ma...@apache.org>:
>> On 16/03/2015 12:53, Rory Kelly wrote:
>>> Hey guys,
>>>
>>>
>>>
>>> I’ve a bad feeling what I’m trying to do is impossible, and I’m
>>> going to have to implement a different solution. Been hunting
>>> for an answer, but couldn’t find anything definite.
>>>
>>> I’m running Tomcat 8.0.18,
>>>
>>> Java 1.7.0_75-b13,
>>>
>>> Ubuntu 14.04.
>>>
>>>
>>>
>>> I have multiple sites running on Virtual Hosts on the instance.
>>> For a bit of background, I am intending on creating a 2-server
>>> load balanced system using nginx as a balancer on virtual
>>> servers (Best I can do, given our hosting/not possible to move
>>> away from it)
>>>
>>> I need each site to be protected by its own SSL certificate,
>>> provided by the client for each site.
>>>
>>>
>>>
>>> Can I actually have multiple SSL certs with Tomcat Virtual
>>> Hosts, or am I going to have to go learn nginx/httpd and
>>> provide it that way?
>>
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=57108
>>
>> Mark
>>
>>
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Rory
>>>
>>
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVCFARAAoJEBzwKT+lPKRYnSoQAI7II/iU2t/GrKj9F7c8suPr
InjFD2BhHWIGqAzWiKQAOmoozgqLuGX6ME/Qmxd69eEoOLQelq0/ZJCA+VuH/Epk
C5hMBflHwQPD9UHb98nxRzQ3FaXW2Jdh6qk1weYa696Ol/2cHabEs4MYaTHVlQvq
E8dV6R0dhE4cU08tft0KCyk/i+OgTmyJpC6fxqxXjgoduauiLE9owzErywojWy7d
PR7M/twuM5XGJBYY59oFDHZO0zrshMBxzHWmw1xHIMde5eDtlyeQo+xVzA7PiDpt
LHGi9U0SX8MPR1+Vl9EZ0LdKxvIvpduFPleBDWub85iGKBdMUAiuYaknD2hZGCxF
4rDlOVpQpuHp9Sxk9TqTRG7vYMQR5wJpTtnvyBnZm7ls0VkBXaR9IiG9/LtUUHEh
eVHux1XjYmDnnZb83FQ+C5QX2xDsJ53zjvtEgagEucMDWwf+cQwXCl1VLLemBHeF
wem0sR225hGmD+FDDE7dqYvAQLzi4JbTXpOU6JZYBJVAvG+zg3stCcQJHdjp82GV
bxSUlmE8jr3AWqNBhpOUdVkNbb0h8Eb6GU0in4TilD3AxAPwi5UOtpfFRE9mIm/F
r2fN9Pzx3DQGikl1X2rRkjStLtZDh1PuB6IMg26Sq4HXtDD6ZABhGouxOWnb/oBz
4gSd0Em4+w8qkGr7bZBq
=thve
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Multiple SSL certificates on one Instance
Posted by Stefan Frei <st...@gmail.com>.
hi
2 points:
configure the reverse proxy is simpler.
tomcat may be harder to troubleshoot issues.
i would take the prxy to do that, in fact we use squid rev-proxy to
solve exact the same problem.
Regards
Stefan
2015-03-16 14:16 GMT+01:00 Mark Thomas <ma...@apache.org>:
> On 16/03/2015 12:53, Rory Kelly wrote:
>> Hey guys,
>>
>>
>>
>> I’ve a bad feeling what I’m trying to do is impossible, and I’m going to
>> have to implement a different solution. Been hunting for an answer, but
>> couldn’t find anything definite.
>>
>> I’m running Tomcat 8.0.18,
>>
>> Java 1.7.0_75-b13,
>>
>> Ubuntu 14.04.
>>
>>
>>
>> I have multiple sites running on Virtual Hosts on the instance. For a bit
>> of background, I am intending on creating a 2-server load balanced system
>> using nginx as a balancer on virtual servers (Best I can do, given our
>> hosting/not possible to move away from it)
>>
>> I need each site to be protected by its own SSL certificate, provided by
>> the client for each site.
>>
>>
>>
>> Can I actually have multiple SSL certs with Tomcat Virtual Hosts, or am I
>> going to have to go learn nginx/httpd and provide it that way?
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=57108
>
> Mark
>
>
>>
>>
>>
>> Thanks,
>>
>> Rory
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Multiple SSL certificates on one Instance
Posted by Mark Thomas <ma...@apache.org>.
On 16/03/2015 12:53, Rory Kelly wrote:
> Hey guys,
>
>
>
> I’ve a bad feeling what I’m trying to do is impossible, and I’m going to
> have to implement a different solution. Been hunting for an answer, but
> couldn’t find anything definite.
>
> I’m running Tomcat 8.0.18,
>
> Java 1.7.0_75-b13,
>
> Ubuntu 14.04.
>
>
>
> I have multiple sites running on Virtual Hosts on the instance. For a bit
> of background, I am intending on creating a 2-server load balanced system
> using nginx as a balancer on virtual servers (Best I can do, given our
> hosting/not possible to move away from it)
>
> I need each site to be protected by its own SSL certificate, provided by
> the client for each site.
>
>
>
> Can I actually have multiple SSL certs with Tomcat Virtual Hosts, or am I
> going to have to go learn nginx/httpd and provide it that way?
https://bz.apache.org/bugzilla/show_bug.cgi?id=57108
Mark
>
>
>
> Thanks,
>
> Rory
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Multiple SSL certificates on one Instance
Posted by Jeffrey Janner <Je...@PolyDyne.com>.
> -----Original Message-----
> From: Rory Kelly [mailto:rory.kelly@fernsoftware.com]
> Sent: Monday, March 16, 2015 7:53 AM
> To: Tomcat Users List
> Subject: Multiple SSL certificates on one Instance
>
> Hey guys,
>
>
>
> I’ve a bad feeling what I’m trying to do is impossible, and I’m going to
> have to implement a different solution. Been hunting for an answer, but
> couldn’t find anything definite.
>
> I’m running Tomcat 8.0.18,
>
> Java 1.7.0_75-b13,
>
> Ubuntu 14.04.
>
>
>
> I have multiple sites running on Virtual Hosts on the instance. For a
> bit
> of background, I am intending on creating a 2-server load balanced
> system
> using nginx as a balancer on virtual servers (Best I can do, given our
> hosting/not possible to move away from it)
>
> I need each site to be protected by its own SSL certificate, provided by
> the client for each site.
>
>
>
> Can I actually have multiple SSL certs with Tomcat Virtual Hosts, or am
> I
> going to have to go learn nginx/httpd and provide it that way?
>
>
>
> Thanks,
>
> Rory
Rory -
The guys have all given some hints that this is probably coming, but not yet here. The rest of the answers depends on your ultimate requirements.
If you require that all the hosts are truly virtual, i.e. they all listen to the same IP-port combo, then it's definitely easier/better to terminate the SSL on your NGINX load-balancer, which presumably already has the needed support. There are some minor adjustments on the Tomcat connector config, but they are adequately explained in the Tomcat docs. Plus terminating on the load-balancer will save some processing cycles in Tomcat.
If you have the ability to assign multiple IP-port combo, then there's really only 1 way to do it on the Tomcat side: Create a unique <Service> tree for each host. This tree will have its own <Engine>, <Connector>, <Valve>, <Host>, etc. entries, basically everything you might need that can't be put at the Global level. Be sure to specify both an HTTP and HTTPS connector so that TRANSPORT GUARANTEE will function properly. Trying to do it all inside one <Service> tree is just asking for trouble.
If you go back in the archives a year or so, I think I posted a sample server.xml implementing the above.
Jeff
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org