How to access multiple virtual hosts with a single SSL instance?

1 Answer

Tomcat uses both hostname + path to determine where the request should go: if you have multiple virtual hosts, then /foo might map to two different virtual hosts depending upon the Host header (or URL, which
generally agree with each other).

The only complication TLS adds is that a certificate often only has one single hostname in it, and the server can only bind to "all interfaces" on a single port (e.g. 443) a single time. Thus, administrators often have to pick a certificate that will work for everyone.

As you have mentioned, SNI offers a way around this: the client can notify the server which host they are attempting to contact and the server can reply with the preferred certificate for that host. I don't believe Tomcat has direct support for SNI, though Java 7+ should be able to handle it if the server software (Tomcat in this case) is capable. I haven't looked into how it can be done, but at this point, Tomcat should probably include this feature, at least for JSSE.

There are other ways to get around this, including using wildcard TLS certificates, binding to different network interfaces to get s unique interface/port combination for each certificate, etc.

Tomcat /can/ be used, here, but it currently takes some creativity.

answer Aug 13, 2014 by Dewang Chaudhary

Similar Questions

+1 vote

ssl on tomcat: making all links also https

I'm using apache 2.2 as front end and apache tomcat 6.0.37 as backend. I'm using mod_jk for connecting them.

The problem is. I'm using ssl certificates and configured ssl on apache. when I connect the site with https it works but when I click on an link it no more secure i.e. its not secure browsing anymore.

My requirement is as follows.

If user connects as https all the links should work as https. If the user connects as http all the links should work as http is such thing is possible?

+1 vote

Apache: Virtual Hosts and SSL Puzzler

I have 3 virtual hosts that for all I can see are configured identically other the the obviously needed differences. The same is true of the 3 crt files.

 ServerName public.mydomain.com
 DocumentRoot /var/www/html
 SSLEngine on
 SSLCertificateFile /etc/httpd/SSL/public.crt
 SSLCertificateKeyFile /etc/postfix/SSL/server.key

 ServerName distrib.mydomain.com
 DocumentRoot /var/www/html/distrib
 SSLEngine on
 SSLCertificateFile /etc/httpd/SSL/distrib.crt
 SSLCertificateKeyFile /etc/postfix/SSL/server.key

 ServerName mail.mydomain.com
 DocumentRoot /usr/local/squirrelmail/www
 SSLEngine on
 SSLCertificateFile /etc/httpd/SSL/mail.crt
 SSLCertificateKeyFile /etc/postfix/SSL/server.key

The problem is that 2 of them work perfectly and the lock shows up in the browser. With the third (public), I get a gray globe indicating partial encryption which does not prevent eavesdropping. I have no clue
how to debug this or even where to look. Can someone point me in the right direction?

0 votes

HTTPS with basic authentication in Header

I'm trying to setup a forward proxy to access certain endpoints on Remote server which require https with basic authentication in header.

A(Application server) ---> Forward proxy (B) ----> Remote server(C)

i'm at B on which i have setup below Apache Virtual host in which i'm setting the headers to use basic authentication passing encoded value of user & pass configured on remote server.However,i want to include HTTPS in my request to C to ensure the headers are sent securely with encrption to remote server (C). I do Not want to use a separate Virtual host for HTTPS. Should i include a SSL Server certificate in my proxy configuration as given below with the basic authentication in header ?
How can i achieve this in Single virtual host ? I have limited knowledge on apache, so please help here.

I tried searching on the internet but did not find the required solution.

##### vHost 9099 is for basic auth with HTTPS #####
Listen *:9099
<VirtualHost *:9099>

        ServerName      myservername.com
        ServerAlias     myservername.com
        ServerAdmin     iamadmin@myservername.com
        DocumentRoot    /my/doc/root/
        SSLEngine on
        RewriteEngine On
        AllowEncodedSlashes NoDecode

        ProxyRequests On

        # SSL configuration

        SSLCertificateFile       /Path to cert.pem
        SSLCertificateKeyFile    /Path to private key
        SSLCACertificateFile     /Path to CA certs


        ##  Basic64  Encoded XXXX od user and passwd in header

         RequestHeader set Authorization "Basic XXXXX"


         ##  Endpoints accessed via https with basic authentication in header

         ProxyPass /api/api1/   https://30.30.115.22:11111/api/api1/
         ProxyPassReverse /api/api1/    https://30.30.115.22:11111/api/api1/


</VirtualHost>

+1 vote

Apache: How to check what ciphers are available to the https compiled binary?

How do I checks what ciphers are available to the https compiled binary, and how do I check with of those are active in the configuration?

Is there any technical reason that ECDHE-RSA-AES128-SHA256 cannot be used on a server with a self-signed cert (there's no e-commerce or any financial data of any sort on the server).

If an existing server wants to switch so that all traffic is encrypted using DH if possible (interested in implementing Perfect Forward Secrecy) are there any "Gotcha's" lurking in the bushes?

If you enable ECDHE-RSA-AES128-SHA256, should you disable EDH?

To be accessible for most people (including some Windows XP users), what else do I need to enable in the cipher suite? RC4? RC4-SHA? TLSv1? AES?

Which ones do I need to avoid?

0 votes

How can I address SSL Certificate issue in Firefox with WebDriver?

how to manage the secured connection error in HTTPS?

How to access multiple virtual hosts with a single SSL instance?

Your comment on this post:

1 Answer

Your comment on this answer:

Your answer

Preview