在一台机器上使用SSL的Tomcat和Apache Web服务器
[英]Tomcat and Apache Webserver using SSL on one machine
问题描述
I have tomcat installed and running on an ubuntu 12.04 LTS system utilizing port 443 for https requests (GeoTrust certificate installed). 
我已经安装了tomcat并在ubuntu 12.04 LTS系统上运行,并使用端口443进行https请求(安装了GeoTrust证书)。
On the same machine, apache2 responds to requests on port 80. 在同一台机器上,apache2响应端口80上的请求。
Now I was given to task to secure the webapps (php) running on apache2 with SSL as well, but with a different server certificate. 现在,我承担了使用SSL(但使用其他服务器证书)保护在apache2上运行的webapps(php)的任务。
Is this possible at all? 这有可能吗? - My assumption would be "no", because I cannot have two servers listening on the same port, but I'm not too sure and haven't found any helpful information about this so far. -我的假设是“否”,因为我不能有两台服务器在同一端口上进行侦听,但是我不太确定,到目前为止还没有找到任何有用的信息。
Any help would be highly appreciated.. 任何帮助将不胜感激。
1 个解决方案
解决方案1
0 已采纳 2013-10-04 19:08:11
These days, you'll still have difficulty serving more than one certificate on a single interface/port combination (eg 0.0.0.0:443). 这些天来,您仍然很难在单个接口/端口组合上提供多个证书(例如0.0.0.0:443)。 IF you want to use two separate ports for HTTPS, it's no problem. 如果要为HTTPS使用两个单独的端口,那没有问题。 If you want to bind to different interfaces (eg 1.2.3.4:443 and 4.3.2.1:443) it's no problem. 如果要绑定到不同的接口(例如1.2.3.4:443和4.3.2.1:443),那没问题。 If you want them both on the same interface/port, you'll have to rely on Server Name Indication which may or may not be supported by your web server version and/or client. 如果您希望它们都在同一接口/端口上,则必须依靠Web服务器版本和/或客户端可能支持或可能不支持的服务器名称指示。
If you want different certificates, you probably want different hostnames, too, so maybe you can get a second interface configured on the machine. 如果需要不同的证书,则可能也需要不同的主机名,因此也许可以在计算机上配置第二个接口。 Note that you don't need to have multiple NICs on the machine just to enable a different interface: your OS should be able to create another interface with a different IP address and still share the NIC. 请注意,您不需要仅在计算机上具有多个NIC即可启用不同的接口:您的操作系统应该能够创建具有不同IP地址的另一个接口,并且仍然共享NIC。 Then you just set DNS to point each hostname to a different IP address and make sure you bind each SSL VirtualHost to the proper IP address (instead of using 0.0.0.0 or * for the hostname). 然后,只需将DNS设置为将每个主机名指向一个不同的IP地址,并确保将每个SSL VirtualHost绑定到正确的IP地址(而不是将0.0.0.0或*用作主机名)。
Honestly, SNI is the easiest thing to do: just use VirtualHosts with SSL enabled (with different certs) in each one the way you'd "expect" it to work and see if the server starts up without complaint. 坦白地说,SNI是最容易做到的事情:只需以每种方式使用启用SSL(带有不同证书)的VirtualHosts,就可以“期望”它正常工作,并查看服务器是否在启动时毫无抱怨。 If so, you'll need to test your clients to see if it's going to work for your audience. 如果是这样,您将需要测试您的客户,以了解它是否对您的受众有用。 For the SNI scenario, I am assuming that Apache httpd would handle all of the SSL traffic and that you'd use something like mod_proxy_* or mod_jk to proxy to Tomcat. 对于SNI场景,我假设Apache httpd将处理所有SSL流量,并且您将使用mod_proxy_*或mod_jk来代理Tomcat。
For the split-IP scenarios, you can do whatever you want: terminate SSL within Tomcat or use httpd for everything and proxy for dynamic content to Tomcat. 对于split-IP方案,您可以执行任何操作:在Tomcat中终止SSL或对所有内容使用httpd,并为Tomcat提供动态内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.