Disabling SSL for one site/domain in Tomcat 8.5

We currently have an Ubuntu server running Tomcat 8.5 that hosts two websites from different domains. It's a weird situation but long story short, we need to disable SSL for one of the two sites and keep SSL functioning for the other site. This server currently has one IP address. The two site names are structured as follows:

site1.a.net
site2.a.com

We'd like to disable SSL for site1.a.net and keep SSL enabled for site2.a.com. Is this possible in Tomcat 8.5?


[In order not to use any registered domains let's use site1.example.net and site2.example.com], which are reserved for documentation purposes.]

Redirection from HTTPS to HTTP works just the same as redirection from HTTP to HTTPS with a twitch: when a client opens https://site1.example.net, the server must present a trusted TLS certificate for site1.example.net before any redirection is possible. Failing to do that will result in a security warning in the browser. I would use a Let's Encrypt certificate for that.

Otherwise you just need to configure two <Host>s in your <Engine> and two <Certificate>s in your <Connector>. Your site1.example.com host needs a RewriteValve to perform the redirect:

<Service name="Catalina">
    <!-- HTTP connector -->
    <Connector port="80" redirectPort="443"/>
    <!-- HTTPS connector -->
    <!-- If the client does not use SNI it ends up with site1.example.net certificate -->
    <Connector port="443" SSLEnabled="true" scheme="https" secure="true"
               defaultSSLHostConfigName="site1.example.net">
        <SSLHostConfig hostName="site1.example.net">
            <Certificate certificateFile="conf/site1.example.net.crt" certificateKeyFile="conf/site1.example.net.key" />
        </SSLHostConfig>
        <SSLHostConfig hostName="site2.example.com">
            <Certificate certificateFile="conf/site2.example.com.crt" certificateKeyFile="conf/site2.example.com.key" />
        </SSLHostConfig>
    </Connector>
    <!-- If a client doesn't send a Host: header or puts the IP in the Host: header it ends up on site1.example.net -->
    <Engine defaultHost="site1.example.net" name="Catalina">
        <Host appBase="webapps/site2.example.com" name="site2.example.com">
            ...
        </Host>
        <Host appBase="webapps/site1.example.net" name="site1.example.net">
            <!-- We need it for the redirect -->
            <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
        </Host>
    </Engine>
</Service>

In order to configure the RewriteValve you just need to create a file conf/Catalina/site1.example.net/rewrite.config with content

# If the client connected through HTTPS
RewriteCond %{HTTPS} on
# Temporarily redirect to the HTTP version
RewriteRule ^ http://site1.example.net%{REQUEST_PATH} [R,L]