Strict SNI matching for Apache

I don't believe so as Apache will just read the first 443 port that it sees and will present that to the user.

You could provide a blank directory with a .htaccess page inside that could catch what is coming in and redirect to the http version. You can do this using the following:

RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}

Don't forget to put the httpd.conf configurtion for the .htaccess directory at the beginning, before the first 443 entry.

You must have a default vhost for SSL connections. But it doesn't have to contain any content, so you can create a new vhost for that purpose and use a self-signed certificate.

That default vhost must be configured to support a new enough SSL version to receive the SNI from the client [source: Apache Wiki]. It may be configured with SSLStrictSNIVHostCheck to disallow clients without SNI support.

As far as I can tell from those links, clients which do support SNI, but report a domain name for which you don't have an explicit matching vhost will always end up on the default vhost, which is why you might want one without content.

Neither approach is really good for a domain without HTTPS, since it won't give a good user experience. Instead I recommend that you either support HTTPS on all your domains (it is possible to get a certificate for free), or instead use different IP addresses for domains with and without HTTPS support.

Use one IP address for virtual hosts which won't use SSL, and a separate IP address for virtual hosts which do use SSL. Ensure that your Listen and VirtualHost directives for SSL specify that IP address explicitly, rather than, e.g. *:443.