0

I'd like to provide webhosting service on my VPS with running Glassfish v4. It means many domains with one shared IP address of the VPS. I know there are problems with SSL certificates of many domains for one IP and that SNI extension may solve this problem (right?). So my question is, whether Glassfish supports this.

Thanks

xwinus
  • 886
  • 3
  • 12
  • 28

1 Answers1

2

According to the Glassfish 4 security guide, https://glassfish.java.net/docs/4.0/security-guide.pdf, there is NOT support for SNI. However, it's generally bad practice IMO (though still debated by many), to expose Glassfish directly to the internet.

I usually solve this problem by running an Apache server with mod_ajp_proxy, connected to a jk-listener on Glassfish.

nickrak
  • 1,635
  • 15
  • 18
  • 1
    Thank you. Can you please explain why is bad practise to expose GF directly? – xwinus Aug 24 '13 at 19:30
  • Glassfish is not designed to be a hardened system, and should not be run as root (which is required to bind to ports below 1024). Some people say it's good enough and simply run GF as root, I prefer to keep GF running as an unprivileged user, and let Apache use the public ports (80/443). As a simpler platform IMO, Apache is more secure and has less attackable points than GF. If someone finds an exploit for Apache, I expect it will be patched in a few hours. GF has numerous attackable points (JMS, IIOP, etc), all of which are open by default and closing those are usually non-trivial. – nickrak Aug 24 '13 at 22:49
  • In addition, FIPS compliance in GF is near impossible, with Apache it can be done in 10-15 minutes by simply selecting the right packages. When there's a security breach, it could take a couple days for Apache to patch. The live download of Glassfish 4.0 is currently build 89, which has been available since September 14th, 2011, and has not been patched since then. I have a hard time believing that there's been no vulnerabilities found since then. Despite being my container of choice, I still feel it's safer to put it behind that extra layer of security that Apache provides. – nickrak Aug 24 '13 at 22:56
  • Can you explain why "Glassfish is not designed to be a hardened system"? Why is there such belief that Apache is better than common application servers? I don't see why adding a layer that just proxies requests to Glassfish would add any security, on the contrary. And yes, you could run Glassfish on ports < 80, there are various ways to achieve that. – ymajoros Feb 10 '14 at 19:10