0

I want to ask if the configuration to have multiple SSL on one IP in Jelastic is possible with Nginx Load Balancer.

The usage is for a proxy server that will receive request from multiple custom domains.

For example:

example-proxy.com points to a Public IP address assigned to a Jelastic Jetty Application.

Now custom domains points to the Jetty Application

custom-domain-example.com CNAME www points to example-proxy.com etc. custom-domain-example-N.org CNAME www points to example-proxy.com etc.

  • Is it is possible to have this kind of configuration with Jelastic?
  • Is this possible to be done using the existing Jelastic API? Right now what I see in the API docs is BindSSL but it seems it can only bind one, is this correct?
quarks
  • 33,478
  • 73
  • 290
  • 513

1 Answers1

2

Yes it's possible, but you need to configure it manually (just in nginx configs) instead of using the Jelastic dashboard/API SSL feature.

The other point to remember is that because there's 1 IP per container, multiple SSL certificates can only be served via SNI. That may have implications for you depending on what browsers your users use: in most cases it's ok now (old mobile OS and Windows XP are the primary exceptions)

The BindSSL API method allows you to automatically configure one SSL certificate on the externally facing node of your environment (Nginx Load Balancer in your case). If you attempt to BindSSL multiple times you just replace the existing certificate (not add multiple certificates).

Basically this functionality was built before SNI was widely acceptable, so it was assumed 1 SSL cert. per 1 environment. You can read more about SNI to make an informed decision about whether it will suit your needs here: http://blog.layershift.com/sni-ssl-production-ready/

An alternative for your needs would be to purchase a multi-domain SSL certificate (SAN cert). This lets you contain multiple hostnames within 1 certificate. Since you mentioned that you're our customer, you can contact our SSL team for details/pricing for this option.

If you still want to use multiple SSL certs + serve them via SNI, you will probably need to use the Read and Write API methods to save the SSL certificate parts and config. file(s) on your Nginx node.

Don't forget to restart the nginx service (you can use RestartNodeById for that) after any config. changes.

EDIT: As you mentioned that your end users will have control over this process, you probably prefer to use reload instead of restart (see http://nginx.org/en/docs/beginners_guide.html#control).

You can invoke that via Jelastic API using ExecCmdById, with commandList=[{"command": "sudo service nginx reload"}]

But take care if you're allowing end users to upload their own certificates via your application - you need to ensure that what they upload is really a certificate and nothing malicious...

Damien - Layershift
  • 1,508
  • 8
  • 15
  • thanks for the reply, we are actually using Layershift (Jelastic) for this specific question. So you mean there's no automated way to add certificates in Jelastic? The Jelastic API docs tells about `BindSSL` is this not useful for this context? – quarks Jul 07 '16 at 03:29
  • @xybrek I updated my answer with more detailed information. It might also help to understand more about why you want to do this via API (are you dynamically adding more domains to your environment: how many / what frequency?). – Damien - Layershift Jul 07 '16 at 09:52
  • Damien, thanks for this reply, yes indeed what we need is to allow our users to upload their own SSL certificated using our web application dashboard. This way they can have their own custom SSL tied to their domains pointing to our Java Server through nginx. From your updated answer it seems there is a workaround using File read/write API of Jelastic, the question is, would it automatically process the SSL when certificates are stored in the location, from my experience with Jelastic when I uploaded one Custom cert it worked by uploading through the 3 text boxes available in the dashboard. – quarks Jul 07 '16 at 18:35
  • I am worried about the last step which is `RestartNodeById` since it is a shared nginx, it would affect (downtime) the other user's apps. Of this would not affect? – quarks Jul 09 '16 at 18:59
  • You're right, this can cause downtime. But you can set up multiple Nginx instances and restart them one by one. – Virtuozzo Jul 11 '16 at 11:12
  • 1
    There is way to restart nginx node gracefully w/o downtime by using one of the following API methods: `ExecCmdById`, `ExecCmdByType`, `ExecCmdByGroup` with the following parameter: `commandList=[{"command": "sudo service nginx reload"}]` – Ruslan Jul 12 '16 at 08:55
  • Im having problems around this too. My Jelastic don´t have ftp access to the NGinx Container. I have a Node container with FTP access so I put my cert. files there, but i´m unable to get NGinx to search for them there. – Patric Jan 09 '17 at 13:41
  • @Patric please start a new question with full details about your issue. – Damien - Layershift Jan 10 '17 at 14:49