6

I have two different domains

  • example1.com
  • example2.com

Each domain has its own SSL certificate.

What I am trying to do now, is using both domains for the same WildFly instance, supporting SSL.

The WildFly documentation states, that I can only reference a single certificate in a keystore. Thus, I can't just define a single <security-realm> with one keystore containing both certificates.

Thus, I defined two different <security-realm>. One for each domain.

  <security-realm name="RealmExample1">
                <server-identities>
                    <ssl>
                        <keystore path="example1.jks" keystore-password="secret" />
                    </ssl>
                </server-identities>
                ...
            </security-realm>

  <security-realm name="RealmExample2">
                <server-identities>
                    <ssl>
                        <keystore path="example2.jks" keystore-password="secret2" />
                    </ssl>
                </server-identities>
                ...
            </security-realm>

However, I cannot add two security domains to a single host.

<server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https-ext"/>
                <https-listener name="default-ssl" security-realm="UndertowRealm" socket-binding="https"/>
                <host name="default-host" alias="localhost">
                    <filter-ref name="central-basic-auth"/>
                </host>
            </server>

Now, if I define a server for each domain, I cannot reference the same http/https listener binding, since the ports are blocked.

The only solution I found so far, is having two public IP adresses and defining two interfaces and a http/https socket binding for each interface. Then I am able to define two servers with a different alias and different socket bindings.

As of now, WildFly unfortunately does not support SNI.

Is there any other possible solution?

kevcodez
  • 1,261
  • 12
  • 27
  • I'm not familiar with WildFly, however unless WildFly supports [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication), you need two separate IPs as you have already found. SNI is what makes multiple HTTPS sites on a single IP address work. I haven't been able to find anything stating that WildFly 10 supports SNI. I would start by finding out if WildFly supports SNI, then finding the appropriate documentation if it does. – vcsjones May 24 '16 at 12:40
  • Thanks for the answer. WildFly 10 does not support SNI out of the box. There is a Jira ticket that requests the feature though: https://issues.jboss.org/browse/XNIO-227 – kevcodez May 24 '16 at 12:43
  • That's pretty much your answer then. Without SNI, you need multiple IP addresses. That's a limitation of TLS, not WildFly. Without SNI, TLS is unable to tell WildFly "which" host is being resolved to that IP address. – vcsjones May 24 '16 at 12:56
  • @kevcodez If you found solution, please, let me know, i have exactly same problem now. – midikko May 25 '16 at 12:32
  • 1
    @midikko Our preferred solution, as mentioned below, is using an Apache web server infront of the WildFly application server. Apache is a lot more stable and has a huge community. Also, Apache supports SNI for multiple domains / certificates. – kevcodez Jun 13 '16 at 10:20

2 Answers2

5

While it would complicate your deployment a bit, have you considered putting Apache httpd in front of your Wildfly server? It would not be difficult to do and it does support SNI. You would have to change your certificates for Apache but then, with Apache virtual hosting you could have something like:

<VirtualHost _default_:443>
    ServerName www.firstdomain.com
    ProxyPreserveHost on
    ProxyPass / http://localhost:8080/
    ProxyTimeout 360
</VirtualHost>

in the first virtual host file and:

<VirtualHost _default_:443>
    ServerName www.seconddomain.com
    ProxyPreserveHost on
    ProxyPass / http://localhost:9080/ # if it is a different instance or
    ProxyPass / http://localhost:8080/app2 # if it the same instance, different webapp
    ProxyTimeout 360
</VirtualHost>

Again, the issues are that you have another process to maintain and you'll need to setup SSL for Apache. But you can then use Apache to do SSL and, if you'd like, things like:

Header set Content-Security-Policy ...
Header set X-XSS-Protection "1; mode=block"

This setup has worked well for me with either Tomcat or Wildfly behind Apache.

stdunbar
  • 16,263
  • 11
  • 31
  • 53
  • Thank you for your answer. We are actually experimenting with the exact setup you mentioned (Apache + WildFly). This is also our preferred solution, since we do not want to expose the WildFly. – kevcodez Jun 13 '16 at 10:16
0

Sorry for necroposting, but there is a simpler option - just add several domains to one certificate.

The obvious way with wildcard certificate.

But also Let's Encrypt allows to specify several domains for one certificate. And it works fine, no need to wait for free wildcard certificates

sh /root/.acme.sh/acme.sh --issue -d yourdomain.com -d www.yourdomain.com -d more.yourdomain.com -w /opt/wildfly-10.1.0.Final/welcome-content
Oleg Gritsak
  • 548
  • 7
  • 26