问题
I have a server hosting multiple websites using Tomcat 7, for example
- a.abc.com
- b.abc.com
- c.def.com
- d.def.com
Using tomcat's virtual hosting feature, so they each may belong to different webapps folder.
We're now trying to implement Https to each of the sites. So basically we got 2 wildcard certificates, *.abc.com, and *.def.com
I've been looking for the ways to setup and I found:
- This where it taught me how to setup SSL with tomcat
- This where it taught me how to setup multiple Host with different SSL pointing at different IP address
Second example is closest to what I need but the problem is all of my virtual hosts are of same IP address, the only difference is on the domain name itself, worse where most of them have a couple different alias even (eg: my d.def.com could have e.ghi.com as one of its alias).
So my question would be, is there anyway I could setup my multiple SSL certificates for all my virtual hosts?
回答1:
I'm afraid it's not possible to fulfill all your requirements with tomcat:
- multiple domains
- two SSL certificates
- unique IP address
- standard SSL port (I have assumed it)
Tomcat SSL Configuration is defined in <Connector> element at config.xml
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
Each connector requires a port attribute. See definition in HTTP Connector documentation
The TCP port number on which this Connector will create a server socket and await incoming connections. Your operating system will allow only one server application to listen to a particular port number on a particular IP address.
Therefore you can't define two connectors using the same port, and then it is not possible to configure different SSL certificates.
Alternatives
Several IP's: The
addressattribute configures which address will be used for listening on the specified port. Set an IP per main domain using a SSL certificate and configure aConnectorfor itDifferent ports:
443for *.abc.com,444for *.def.com, and so onSSL Proxy: Deploy a proxy server like Apache or Nginx in front of tomcat. The proxy only deals with SSL negotiation and virtual hosts. All the traffic is redirected to Tomcat in plain HTTP.
Just as an example using Apache mod_ssl + and the tomcat connector mod_JK your requested configuration is simple
listen 443
<VirtualHost *:443>
ServerName a.abc.com:443
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile "/home/certs/abc.com.crt"
SSLCertificateKeyFile "/home/certs/abc.com.key"
SSLCertificateChainFile "/home/certs/abc.com.ca-bundle"
SSLOptions +StdEnvVars +ExportCertData
ErrorLog "/var/logs/error_abc_443.log"
TransferLog "/var/logs/error_abc_443.log"
JkMount /* worker1
</VirtualHost>
<VirtualHost *:443>
ServerName c.def.com:443
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile "/home/certs/def.com.crt"
SSLCertificateKeyFile "/home/certs/def.com.key"
SSLCertificateChainFile "/home/certs/def.com.ca-bundle"
SSLOptions +StdEnvVars +ExportCertData
ErrorLog "/var/logs/error_def.log"
TransferLog "/var/logs/error_def.log"
JkMount /* worker2
</VirtualHost>
来源:https://stackoverflow.com/questions/40761660/tomcat-hosting-multiple-virtual-host-with-multiple-ssl-certificate