Home / server / Questions / 648686
Accepted
jl6
Asked: 2014-12-03 13:55:26 +0800 CST

What apache VirtualHost configuration will serve one and only one domain over SSL?

  • 772

I have multiple domains (example1.com, example2.com, ...) hosted on the same IP. One of these domains (example3.com) has an SSL certificate and I want to serve it over HTTPS, while keeping all the other sites on HTTP. I have this set up and working correctly, so far.

My problem is that requests to https://www.example1.com (note the s) are getting handled by the apache configuration section for example3.com (which begins <VirtualHost *:443>), which causes problems as this is a Django site, and amongst other things it generates a 400 Bad Request due to example1.com not being in Django's ALLOWED_HOSTS setting.

I understand that the nature of SSL means that the Host: header is not known until after the secure connection is established. But is there a way of getting apache to reject any requests over HTTPS that are not for example3.com?

I had expected use of the ServerName directive within the SSL Virtualhost to restrict that section to just the named host, but upon closer inspection of the docs it seems that is only the case for name-based virtual hosts.

Edit: I have tried adding a catch-all default as the first section, like the following:

<VirtualHost *:443>
  ServerName default.only
  <Location />
    Require all denied
  </Location>
</VirtualHost>

This causes the following error:

[Thu Dec 04 10:31:27.922801 2014] [mpm_event:notice] [pid 10498:tid 3074255488] AH00491: caught SIGTERM, shutting down
[Thu Dec 04 10:31:29.928483 2014] [ssl:emerg] [pid 30518:tid 3074300544] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Thu Dec 04 10:31:29.928551 2014] [ssl:emerg] [pid 30518:tid 3074300544] AH02312: Fatal error initialising mod_ssl, exiting.
ssl

2 Answers

  1. As @Polosson said in the comment, You'll need to create two port 443 virtual hosts to end up with this arrangement.

    The first one you list will be the catch-all for anything ariving on port 443 -- this is implicit in listing it first. The second will be used whent he host is example3.com via ServerName.

    • 1
  2. Best Answer

    The errors you have posted indicate that you haven't included relevant necessary SSL configuration for your domains; for any domains/subdomains you wish to be accessible via SSL, you will need to provide relevant information for the certificate, etc, in the VirtualHost configuration(s) for the domains in question, eg:

    <VirtualHost _default_:443>
    DocumentRoot /var/www/html/example1.com
    ServerName example1.com
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5:!DSS
        SSLHonorCipherOrder on

        SSLCertificateFile /etc/pki/tls/certs/example1certificate.crt
        SSLCertificateKeyFile /etc/pki/tls/private/example1privatekey.key
        SSLCertificateChainFile /etc/pki/tls/certs/certificatechainfile.pem
        SSLCACertificateFile /etc/pki/tls/certs/certificateauthority.pem
</VirtualHost>

    You will then need to create appropriate VirtualHost segments for the rest of your domains, but in these you will of course only configure the listen port to be 80, with no SSL configuration options, eg: 

    <VirtualHost _default_:80>
    DocumentRoot /var/www/html/example2.com
    ServerName example2.com
</VirtualHost>

    Hope this helps!

    PS, the above configurations for SSLCipherSuite and SSLProtocol are good - you can use them to save you time researching other possible configurations if you wish.

    • 1