sslwildflywildfly-10

WildFly multiple domains and SSL certificates

I have two different domains

Each domain has its own SSL certificate.

What I am trying to do now, is using both domains for the same WildFly instance, supporting SSL.

The WildFly documentation states, that I can only reference a single certificate in a keystore. Thus, I can't just define a single <security-realm> with one keystore containing both certificates.

Thus, I defined two different <security-realm>. One for each domain.

  <security-realm name="RealmExample1">
                <server-identities>
                    <ssl>
                        <keystore path="example1.jks" keystore-password="secret" />
                    </ssl>
                </server-identities>
                ...
            </security-realm>

  <security-realm name="RealmExample2">
                <server-identities>
                    <ssl>
                        <keystore path="example2.jks" keystore-password="secret2" />
                    </ssl>
                </server-identities>
                ...
            </security-realm>

However, I cannot add two security domains to a single host.

<server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https-ext"/>
                <https-listener name="default-ssl" security-realm="UndertowRealm" socket-binding="https"/>
                <host name="default-host" alias="localhost">
                    <filter-ref name="central-basic-auth"/>
                </host>
            </server>

Now, if I define a server for each domain, I cannot reference the same http/https listener binding, since the ports are blocked.

The only solution I found so far, is having two public IP adresses and defining two interfaces and a http/https socket binding for each interface. Then I am able to define two servers with a different alias and different socket bindings.

As of now, WildFly unfortunately does not support SNI.

Is there any other possible solution?

Solution

  • While it would complicate your deployment a bit, have you considered putting Apache httpd in front of your Wildfly server? It would not be difficult to do and it does support SNI. You would have to change your certificates for Apache but then, with Apache virtual hosting you could have something like:

    <VirtualHost _default_:443>
    ServerName www.firstdomain.com
    ProxyPreserveHost on
    ProxyPass / http://localhost:8080/
    ProxyTimeout 360
</VirtualHost>

    in the first virtual host file and:

    <VirtualHost _default_:443>
    ServerName www.seconddomain.com
    ProxyPreserveHost on
    ProxyPass / http://localhost:9080/ # if it is a different instance or
    ProxyPass / http://localhost:8080/app2 # if it the same instance, different webapp
    ProxyTimeout 360
</VirtualHost>

    Again, the issues are that you have another process to maintain and you'll need to setup SSL for Apache. But you can then use Apache to do SSL and, if you'd like, things like:

    Header set Content-Security-Policy ...
Header set X-XSS-Protection "1; mode=block"

    This setup has worked well for me with either Tomcat or Wildfly behind Apache.