Home / server / Questions / 520263
Accepted
STW
Asked: 2013-07-03 09:14:44 +0800 CST

How do I prevent Apache from serving a HTTPS site when it doesn't match the requested VirtualHost Name?

  • 772

I'm using Apache2 and named virtual hosts to serve two different dotcom's (exampleone.com and exampletwo.com) from one IP address. One site (exampleone.com should be HTTP and HTTPS, while the other (example2.com) should serve HTTP only.

So far I've gotten their respective HTTP sites working as expected, and I've gotten HTTPS working for the site it's intended for--however when I go to https://exampletwo.com I'm being served https://exampleone.com content and security warnings.

How do I get https://exampletwo.com requests to be rejected?

<VirtualHost 1.2.3.4:80>
    ServerName exampleone.com
    ServerAlias *.exampleone.com
    DocumentRoot /var/www/exampleone.com
    <Directory /var/www/exampleone.com>
            Options MultiViews
            AllowOverride None
            Order allow,deny
            allow from all
    </Directory>
    CustomLog /var/log/apache2/exampleone.log combined
</VirtualHost>

<VirtualHost 1.2.3.4:80>
    ServerName exampletwo.com
    ServerAlias *.exampletwo.com
    DocumentRoot /var/www/exampletwo.com
    <Directory /var/www/exampletwo.com>
            Options MultiViews
            AllowOverride None
            Order allow,deny
            allow from all
    </Directory>
    CustomLog /var/log/apache2/exampletwo.log combined
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost 1.2.3.4:443>
    ServerAdmin [email protected]
    ServerName exampleone.com
    ServerAlias *.exampleone.com

    DocumentRoot /var/www/exampleone.com

    <Directory /var/www/exampleone.com>
            Options MultiViews
            AllowOverride None
            Order allow,deny
            allow from all
    </Directory>

    CustomLog /var/log/apache2/exampleone-ssl.log combined

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

    #   A self-signed (snakeoil) certificate can be created by installing
    #   the ssl-cert package. See
    #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
    #   If both key and certificate are stored in the same file, only the
    #   SSLCertificateFile directive is needed.
    SSLCertificateFile    /etc/ssl/certs/exampleone.com.crt
    SSLCertificateKeyFile /etc/ssl/private/exampleone.com.key
</VirtualHost>
</IfModule>
apache-2.2

2 Answers

  1. Best Answer

    EDIT : as other pointed out, look at SNI

    As explained Here, a server being contacted via https cannot guess before sending its certificate what domain name the client wants to talk to.

    If http://exampleone.com is served by https, it means that the first thing a visitor will get from this server is "Hi, my certificate is valid for the name http://exampleone.com", even if you want http://exampletwo.com. Thus, you cannot desactivate https for http://exampletwo.com, nor set up a redirect or whatever that wouldn't lead to a warning for the visitor.

    More explanations here

    To address your concern, you need two different IP addresses to serve your two domain names.

    • 2

  2. You can enable SNI. All you have to do is include a NameVirtualHost *:443 with your Listen 443 statement (In ubuntu apache config, add it to /etc/apache/ports.conf). You can then configure a second SSL virtual host, and give them both a ServerName.

    Note: old browsers don't support SNI. No version of IE on Windows XP, for instance. In that case, the IP address per site restriction user2299bla mentions is valid.

    • 2