WildFly multiple domains and SSL certificates

2019-03-28 11:27发布

问题:

I have two different domains

  • example1.com
  • example2.com

Each domain has its own SSL certificate.

What I am trying to do now, is using both domains for the same WildFly instance, supporting SSL.

The WildFly documentation states, that I can only reference a single certificate in a keystore. Thus, I can't just define a single <security-realm> with one keystore containing both certificates.

Thus, I defined two different <security-realm>. One for each domain.

  <security-realm name="RealmExample1">
                <server-identities>
                    <ssl>
                        <keystore path="example1.jks" keystore-password="secret" />
                    </ssl>
                </server-identities>
                ...
            </security-realm>

  <security-realm name="RealmExample2">
                <server-identities>
                    <ssl>
                        <keystore path="example2.jks" keystore-password="secret2" />
                    </ssl>
                </server-identities>
                ...
            </security-realm>

However, I cannot add two security domains to a single host.

<server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https-ext"/>
                <https-listener name="default-ssl" security-realm="UndertowRealm" socket-binding="https"/>
                <host name="default-host" alias="localhost">
                    <filter-ref name="central-basic-auth"/>
                </host>
            </server>

Now, if I define a server for each domain, I cannot reference the same http/https listener binding, since the ports are blocked.

The only solution I found so far, is having two public IP adresses and defining two interfaces and a http/https socket binding for each interface. Then I am able to define two servers with a different alias and different socket bindings.

As of now, WildFly unfortunately does not support SNI.

Is there any other possible solution?

回答1:

While it would complicate your deployment a bit, have you considered putting Apache httpd in front of your Wildfly server? It would not be difficult to do and it does support SNI. You would have to change your certificates for Apache but then, with Apache virtual hosting you could have something like:

<VirtualHost _default_:443>
    ServerName www.firstdomain.com
    ProxyPreserveHost on
    ProxyPass / http://localhost:8080/
    ProxyTimeout 360
</VirtualHost>

in the first virtual host file and:

<VirtualHost _default_:443>
    ServerName www.seconddomain.com
    ProxyPreserveHost on
    ProxyPass / http://localhost:9080/ # if it is a different instance or
    ProxyPass / http://localhost:8080/app2 # if it the same instance, different webapp
    ProxyTimeout 360
</VirtualHost>

Again, the issues are that you have another process to maintain and you'll need to setup SSL for Apache. But you can then use Apache to do SSL and, if you'd like, things like:

Header set Content-Security-Policy ...
Header set X-XSS-Protection "1; mode=block"

This setup has worked well for me with either Tomcat or Wildfly behind Apache.



回答2:

Sorry for necroposting, but there is a simpler option - just add several domains to one certificate.

The obvious way with wildcard certificate.

But also Let's Encrypt allows to specify several domains for one certificate. And it works fine, no need to wait for free wildcard certificates

sh /root/.acme.sh/acme.sh --issue -d yourdomain.com -d www.yourdomain.com -d more.yourdomain.com -w /opt/wildfly-10.1.0.Final/welcome-content