SSL redirection from Apache to Wildfly

Question

I have two projects running on Wildfly-8 and I have two SSL certificates for each of them and one IP.

I figured out that I should have one IP for one SSL certificate.

But I needed to use these two SSL for one IP. I couldn't find a way to do it with Wildfly but there was a way to do it with Apache Server. So,I installed Apache Server up to Wildfly.

I listen https port(443) on Apache and redirect it to Wildfly's http port(I used 8080). It works without any problem.

What I wonder is;

1. Is Apache decrypt request and redirect it to Wildfly?
2. Is it correct way to do it or I have done it by chance?
3. Does this method create a security hole?

I googled some, but I could not find satisfied answers.

Thanks for replies.

Answer 1

For this answer, I'm supposing that by "redirecting" you mean "proxying": Apache receives the request, proxies it to Wildfly, receives an answer from Wildfly, sends the answer to the client.

If you mean something else, then the simple answer is: it is wrong[1].

1. Is Apache decrypt request and redirect it to Wildfly?

Yes. Apache will receive and send secure data to/from the client. Its communication with Wildfly will be plaintext.

2. Is it correct way to do it or I have done it by chance?

That's how it's usually done, yes. In other words: a load balancer and/or a proxy in front of Wildfly (Apache in your case). Wildfly itself is not reached directly by the public internet.

3. Does this method create a security hole?

It does, just like everything else is a security "compromise". In this case, you are trusting your internal network, in the name of a more practical/manageable architecture. If you do not trust your internal network, you should look for another solution. In the general case, the price to pay seems fair to me, as you'll "only" be open to a man-in-the-middle between your Apache and your Wildfly. So, if you trust your internal network, you should trust that there won't be any MITM there.

Edit

[1] - As everything else in life, there's no absolute truth. Basically, there are 3 techniques that can be used in a scenario like this: pass through, edge and re-encryption.

• Pass through is a "dumb" pipe, where nothing about TLS is known by the proxy. Wildfly would then handle the secure communication with the client. I'm not sure Apache would do this, but this can be done with haproxy in TCP mode;
• Edge (or offloading) is the situation I described above: Client talks TLS with Apache, Apache talks plaintext with Wildfly;
• Re-encryption, which is like Edge, but the communication between Apache and Wildfly is also TLS, using a different certificate.