I have two different domains
Each domain has its own SSL certificate.
What I am trying to do now, is using both domains for the same WildFly instance, supporting SSL.
The WildFly documentation states, that I can only reference a single certificate in a keystore. Thus, I can't just define a single <security-realm>
with one keystore containing both certificates.
Thus, I defined two different <security-realm>
. One for each domain.
<security-realm name="RealmExample1">
<server-identities>
<ssl>
<keystore path="example1.jks" keystore-password="secret" />
</ssl>
</server-identities>
...
</security-realm>
<security-realm name="RealmExample2">
<server-identities>
<ssl>
<keystore path="example2.jks" keystore-password="secret2" />
</ssl>
</server-identities>
...
</security-realm>
However, I cannot add two security domains to a single host.
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https-ext"/>
<https-listener name="default-ssl" security-realm="UndertowRealm" socket-binding="https"/>
<host name="default-host" alias="localhost">
<filter-ref name="central-basic-auth"/>
</host>
</server>
Now, if I define a server for each domain, I cannot reference the same http/https listener binding, since the ports are blocked.
The only solution I found so far, is having two public IP adresses and defining two interfaces and a http/https socket binding for each interface. Then I am able to define two servers with a different alias and different socket bindings.
As of now, WildFly unfortunately does not support SNI.
Is there any other possible solution?
While it would complicate your deployment a bit, have you considered putting Apache httpd in front of your Wildfly server? It would not be difficult to do and it does support SNI. You would have to change your certificates for Apache but then, with Apache virtual hosting you could have something like:
<VirtualHost _default_:443>
ServerName www.firstdomain.com
ProxyPreserveHost on
ProxyPass / http://localhost:8080/
ProxyTimeout 360
</VirtualHost>
in the first virtual host file and:
<VirtualHost _default_:443>
ServerName www.seconddomain.com
ProxyPreserveHost on
ProxyPass / http://localhost:9080/ # if it is a different instance or
ProxyPass / http://localhost:8080/app2 # if it the same instance, different webapp
ProxyTimeout 360
</VirtualHost>
Again, the issues are that you have another process to maintain and you'll need to setup SSL for Apache. But you can then use Apache to do SSL and, if you'd like, things like:
Header set Content-Security-Policy ...
Header set X-XSS-Protection "1; mode=block"
This setup has worked well for me with either Tomcat or Wildfly behind Apache.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With