> -----Original Message----- > From: Rory Kelly [mailto:rory.ke...@fernsoftware.com] > Sent: Monday, March 16, 2015 7:53 AM > To: Tomcat Users List > Subject: Multiple SSL certificates on one Instance > > Hey guys, > > > > I’ve a bad feeling what I’m trying to do is impossible, and I’m going to > have to implement a different solution. Been hunting for an answer, but > couldn’t find anything definite. > > I’m running Tomcat 8.0.18, > > Java 1.7.0_75-b13, > > Ubuntu 14.04. > > > > I have multiple sites running on Virtual Hosts on the instance. For a > bit > of background, I am intending on creating a 2-server load balanced > system > using nginx as a balancer on virtual servers (Best I can do, given our > hosting/not possible to move away from it) > > I need each site to be protected by its own SSL certificate, provided by > the client for each site. > > > > Can I actually have multiple SSL certs with Tomcat Virtual Hosts, or am > I > going to have to go learn nginx/httpd and provide it that way? > > > > Thanks, > > Rory
Rory - The guys have all given some hints that this is probably coming, but not yet here. The rest of the answers depends on your ultimate requirements. If you require that all the hosts are truly virtual, i.e. they all listen to the same IP-port combo, then it's definitely easier/better to terminate the SSL on your NGINX load-balancer, which presumably already has the needed support. There are some minor adjustments on the Tomcat connector config, but they are adequately explained in the Tomcat docs. Plus terminating on the load-balancer will save some processing cycles in Tomcat. If you have the ability to assign multiple IP-port combo, then there's really only 1 way to do it on the Tomcat side: Create a unique <Service> tree for each host. This tree will have its own <Engine>, <Connector>, <Valve>, <Host>, etc. entries, basically everything you might need that can't be put at the Global level. Be sure to specify both an HTTP and HTTPS connector so that TRANSPORT GUARANTEE will function properly. Trying to do it all inside one <Service> tree is just asking for trouble. If you go back in the archives a year or so, I think I posted a sample server.xml implementing the above. Jeff --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
