When Apache (v2.4) assigns a request to a vhost, it will use the first matching ServerName/ServerAlias across all configs, but if nothing matches it will use the first (ignoring the ServerName/ServerAlias definitions).
https://httpd.apache.org/docs/2.4/vhosts/details.html
The first name-based vhost in the configuration file for a given IP:port pair is significant because it is used for all requests received on that address and port for which no other vhost for that IP:port pair has a matching ServerName or ServerAlias.
The problem I'm having is on a shared host with a control panel. Some domains have a SSL certificate and others do not. When someone tries to access their domain without a certificate using HTTPS, I'd rather return a 404 instead of someone else's content after a security warning.
I've tried setting up a *:443 vhost that matches ServerAlias * and that didn't work. I have successfully setup a catch-all vhost matching each IP:443 individually, but this means I'll have to remember to edit this file when an IP is added to the server.
Is there a way to configure explicit ServerName/ServerAlias matches only so vhost only matches specific hostnames, or is configuring a higher priority "catchall" vhost with a shared SSL certificate the only way to workaround this issue?