-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Neil,
On 8/12/14, 6:01 PM, Neil Aggarwal wrote: > Up until now, I have always run Apache in front of Tomcat. I am > wondering if I should change to using Tomcat as a standalone > server. > > My concern is how to use multiple virtual hosts with a single SSL > instance running on the standard https port. > > With httpd server, I can access my webapp using the directory name > in the URL. For example, if I have an app called app1, it uses > URLs that look like this: http://www.app1.com/app1/index.html > https://ssl.example.com/app1/index.html > > If I have another app, it would use urls like this: > http://www.app2.com/app2/index.html > https://ssl.example.com/app2/index.html > > This is because mod_jk will forward anything with the app name as > the first part of the URL to Tomcat. > >> From what I am reading in the documentation, Tomcat uses the >> hostname > to determine the webapp to use. That won't work since they need > to use the same hostname in ssl mode. Tomcat uses both hostname + path to determine where the request should go: if you have multiple virtual hosts, then /foo might map to two different virtual hosts depending upon the Host header (or URL, which generally agree with each other). The only complication TLS adds is that a certificate often only has one single hostname in it, and the server can only bind to "all interfaces" on a single port (e.g. 443) a single time. Thus, administrators often have to pick a certificate that will work for everyone. As you have mentioned, SNI offers a way around this: the client can notify the server which host they are attempting to contact and the server can reply with the preferred certificate for that host. I don't believe Tomcat has direct support for SNI, though Java 7+ should be able to handle it if the server software (Tomcat in this case) is capable. I haven't looked into how it can be done, but at this point, Tomcat should probably include this feature, at least for JSSE. There are other ways to get around this, including using wildcard TLS certificates, binding to different network interfaces to get s unique interface/port combination for each certificate, etc. Tomcat /can/ be used, here, but it currently takes some creativity. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJT6t9WAAoJEBzwKT+lPKRY0sUP/iManPcB08Bzpzcp3jHQQfyd iwM9V0jGAxrI5DLV30B+vPdNGut+Rcy8mW3CqEqsFMWC8o4LzJdzEfRGBjzjtvIJ TZxVjQy+Jk/OcyuzAsV92f6U6gVKgcYnyEOkEGFgf/GG06n1RJmmAaG63GZ6qLLv 9OD7eP/wDrpFi1kp+u+RZHez+ZU2XQjsgpH0jOgaMoxqfU0LsxK032chP3vq6aAS VMh2ncTcSN4N5ibs/vIpLliyEV4bop1P5ZLWhid/smaU0OjlMowsYZ8jb6X90lOs SsJnC4hKvWTzuyLRNsZ1xf/vU/nScOUQjrQRivpBxgPK0IOSZE7bzu5nc3kYqXTn xBX/w5Bxb/be2g7hl7jee8Y75flgcfb0tcL6IL50keLV3n95ucqwt3Lb0ZwlCNDT DWNc5LBufR6rQFTtPG0H6zi/5Siw49ZY9KlIyb1bQGPJ+IiCE2fg+GZ2K84y1Ib/ /kC+GtxpMHABVRC6aPFDFaLuG0NAUwWE437ObpWA2r00uUo0eiZhCAyOZePpl8vJ zW/R0Va8XDMZauUbSCSQPlV/OX2uPdlIWygzMfCsRrsjJ6A7LLrlMmVh6075rE8D UQ7oDU7aT/47/DG0yd3OiPYlUx/vq+S5ycYpmstT4s+fPMznO2PHdBDN5GSEkD+6 F945J2LFes2AvdA2m1hE =9sTp -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
