Why Netty cannot serve multiple SSL domains from one IP
Due to some issues with a transparent proxy apparently employed by Vodafone New Zealand, a signed SSL certificate had to be added to the REST server in the Appjangle cloud in order to serve resources 'protected' from Vodafone's caching efforts.
One REST server in the Appjangle cloud can serve more than one domain … but this appears to be troublesome to achieve using SSL.
You would like to serve content through HTTPS from two domains from one IP address using Netty. For example:
both should be served from a Netty server running on the IP 126.96.36.199.
It is relatively easy to host multiple HTTP hosts on one IP address. One can implement a SimpleChannelUpstreamHandler arranged in a pipeline after a HttpRequestDecoder. The SimpleChannelUpstramHandler can then separate requests based on the HOST value of the incoming HttpRequests.
For SSL, this is not possible, since the SslHandler is usually defined at the very beginning of a Netty pipeline. This is an inherent requirement of the SSL protocol, which protects communication with an IP address and not with a domain.
It is therefore not possible to 'unwrap' the incoming encoded message and retrieve its HOST value, since this can only be done AFTER the SSL connection is established.
Note: This is not an inherent problem of Netty but caused by the JDK's SSL implementation.
One possible solution would be to use Server Name Indication – an extension to the SSL protocol to allow for 'virtual hosts' over SSL. However, this is extension not necessarily supported by all available HTTP clients. Moreover, it does not appear that Netty/Java currently support Server Name Indication.
Therefore, the best option at present appears to use one dedicated IP address for every HTTPS host you want to use.
Also note that JDK 7 adds support for Server Name Indication, so if you are running on this platform, you could explore if you can configure Netty to support it.