-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8/12/2014 8:45 PM, Christopher Schultz wrote: > Neil, > > On 8/12/14, 6:01 PM, Neil Aggarwal wrote: >> Up until now, I have always run Apache in front of Tomcat. I am >> wondering if I should change to using Tomcat as a standalone >> server. > >> My concern is how to use multiple virtual hosts with a single >> SSL instance running on the standard https port. > >> With httpd server, I can access my webapp using the directory >> name in the URL. For example, if I have an app called app1, it >> uses URLs that look like this: >> http://www.app1.com/app1/index.html >> https://ssl.example.com/app1/index.html > >> If I have another app, it would use urls like this: >> http://www.app2.com/app2/index.html >> https://ssl.example.com/app2/index.html > >> This is because mod_jk will forward anything with the app name >> as the first part of the URL to Tomcat. > >>> From what I am reading in the documentation, Tomcat uses the >>> hostname >> to determine the webapp to use. That won't work since they need >> to use the same hostname in ssl mode. > > Tomcat uses both hostname + path to determine where the request > should go: if you have multiple virtual hosts, then /foo might map > to two different virtual hosts depending upon the Host header (or > URL, which generally agree with each other). > > The only complication TLS adds is that a certificate often only > has one single hostname in it, and the server can only bind to > "all interfaces" on a single port (e.g. 443) a single time. Thus, > administrators often have to pick a certificate that will work for > everyone. > > As you have mentioned, SNI offers a way around this: the client > can notify the server which host they are attempting to contact and > the server can reply with the preferred certificate for that host. > I don't believe Tomcat has direct support for SNI, though Java 7+ > should be able to handle it if the server software (Tomcat in this > case) is capable. I haven't looked into how it can be done, but at > this point, Tomcat should probably include this feature, at least > for JSSE. > > There are other ways to get around this, including using wildcard > TLS certificates, binding to different network interfaces to get s > unique interface/port combination for each certificate, etc. > > Tomcat /can/ be used, here, but it currently takes some > creativity. > > -chris >
Chris, Does Java 7 have server side support for SNI? I had this discussion on the list a while back, and I think we came to the conclusion that SNI was not supported. I'll have to dig through my archives and the public archives to make sure I'm not mistaken. Ah no - server side SNI is not available until Java 8. I don't know if Tomcat 8 can take advantage of that or not (haven't looked at the code). However Tomcat 7 plus Java 7 equals no server side SNI. You're stuck with fronting Tomcat with something like Apache HTTPD and using a SAN cert. This is what we currently do in production. Later versions of Apache HTTPD support SSL named virtual hosts (with a little care). . . . just my (late night) 2 cents /mde/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (MingW32) iQEbBAEBAgAGBQJT6v05AAoJEEFGbsYNeTwtrrIH+OFbR9JGOvdkVQHQH0/Gqiel OPEk0lQj55FqdBAu68zyP58SeKw0PAI8+C5BX7kLtcFBkgrGGsbuzdIMG4rjNuEY qrFcilq7wLZrelolIv8zaFnEwmcV/C6uNtbq6wN1hlDW/gaiuuqCd266Dh8ClF0i iCGydpFlUO/+J8ytKZY+kj5YPNi1S7RqmC0dpT9nYIDbQbK82DYC56FLmg8Tb8AR TKkJ+ClBLiojHdC9aZaRtZXPPmrOxm9S8pMA9MgNBhQnctv1+TvC0mMsGk3Spy21 clQSckNy+buuRmiJ+VJ1DFlt4Ba1EJgNAbnMe7rivGKq/rg/0rQYbrQvkwb64Q== =B438 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
