4

I have two projects running on Wildfly-8 and I have two SSL certificates for each of them and one IP.

I figured out that I should have one IP for one SSL certificate.

But I needed to use these two SSL for one IP. I couldn't find a way to do it with Wildfly but there was a way to do it with Apache Server. So,I installed Apache Server up to Wildfly.

I listen https port(443) on Apache and redirect it to Wildfly's http port(I used 8080). It works without any problem.

What I wonder is;

1. Is Apache decrypt request and redirect it to Wildfly?
2. Is it correct way to do it or I have done it by chance?
3. Does this method create a security hole?

I googled some, but I could not find satisfied answers.

Thanks for replies.

xxlali
  • 996
  • 2
  • 15
  • 43

1 Answers1

7

For this answer, I'm supposing that by "redirecting" you mean "proxying": Apache receives the request, proxies it to Wildfly, receives an answer from Wildfly, sends the answer to the client.

If you mean something else, then the simple answer is: it is wrong[1].

  1. Is Apache decrypt request and redirect it to Wildfly?

Yes. Apache will receive and send secure data to/from the client. Its communication with Wildfly will be plaintext.

  1. Is it correct way to do it or I have done it by chance?

That's how it's usually done, yes. In other words: a load balancer and/or a proxy in front of Wildfly (Apache in your case). Wildfly itself is not reached directly by the public internet.

  1. Does this method create a security hole?

It does, just like everything else is a security "compromise". In this case, you are trusting your internal network, in the name of a more practical/manageable architecture. If you do not trust your internal network, you should look for another solution. In the general case, the price to pay seems fair to me, as you'll "only" be open to a man-in-the-middle between your Apache and your Wildfly. So, if you trust your internal network, you should trust that there won't be any MITM there.

Edit

[1] - As everything else in life, there's no absolute truth. Basically, there are 3 techniques that can be used in a scenario like this: pass through, edge and re-encryption.

  • Pass through is a "dumb" pipe, where nothing about TLS is known by the proxy. Wildfly would then handle the secure communication with the client. I'm not sure Apache would do this, but this can be done with haproxy in TCP mode;
  • Edge (or offloading) is the situation I described above: Client talks TLS with Apache, Apache talks plaintext with Wildfly;
  • Re-encryption, which is like Edge, but the communication between Apache and Wildfly is also TLS, using a different certificate.
jpkroehling
  • 13,881
  • 1
  • 37
  • 39
  • Thanks a lot for your comment – xxlali Jan 14 '16 at 12:24
  • @jpkrohling What if MITM is a possibility? In the case of a virtual server somewhere I have to trust in the good will of the hosting company. Would it close this MITM-problem, if Wildfly does the HTTPS part and Apache just proxies it from the internet port 443 through to Wildfly? Securing Wildfly: https://docs.jboss.org/author/pages/viewpage.action?pageId=66322705 – Socrates Feb 03 '17 at 02:55
  • @Socrates if you serve on port 443 from Wildfly, you shoul have SSL certificate for Wildfly. And ıf you have 2 ssl and one IP, you can not do it on Wildfly. If you have one IP and one SSL then you can use Wildfly and you don't need Apache – xxlali Feb 03 '17 at 06:37
  • 1
    @Socrates, yes, but then, you might not need Apache. Wildfly's HTTP server (Undertow) is very capable of handling decent workloads, so, you can remove Apache from the picture. – jpkroehling Feb 03 '17 at 08:36
  • @jpkrohling Right. I could imagine the case though, where subdomain-a.mysite.com handles the Java App on Wildfly proxied by Apache, while subdomain-b.mysite.com handles some PHP website handled by Apache and the PHP plugin. Would it be better in this case to separate HTTPS certificates, having one for each subdomain, or would it be wiser to create one with a wildcard like *.mysite.com? – Socrates Feb 03 '17 at 19:49
  • 1
    Everything depends on your threat model and automatization level :) If there are chances you might lose control of your cert keys, then it's certainly better to have individual certs. They are easier (and cheaper) to request and can be individually revoked, but the more certs, the more you want to automate your deployment. – jpkroehling Feb 06 '17 at 08:16