0

I have a number of virtuals hosts serving sites from apache. Each site has it's own config file and many have SSL certificates setup.

00_default.conf file <VirtualHost *:80> points to a static 404 type page

This all works well... My problem is if you visit a site in https mode that doesn't have have SSL setup or does not have a config file it defaults to using the SSL certificate from the first config file it finds containing <VirtualHost *:443>.

I assume I need to create a rule in the 00_default.conf to catch requests for pages that don't exist when requested via HTTPS. So far I have not found a configuration that works.

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
Olmec Sinclair - doLithe
  • 1
  • 1
  • 1

1 Answers1

0

There are two things:

  • you will always get a a browser warning/error message when you connect with HTTPS to a website on a webserver that does not present a valid TLS certificate that includes the website name you've entered in the URL. Designating a different virtual host to deal with those requests won't change that basic truth.
  • Designating a specific virtual host to become the default HTTPS virtual host will only change which (mismatched) TLS certificate will be presented and what web content will be shown.

The best method to properly solve this issue is to set up HTTPS for all websites that you're hosting on your web server.

In absence of that: probably the easiest is to add a HTTPS VirtualHost entry to your existing 00_default.conf resulting in something like:

<VirtualHost _default_:80>
        ServerName      www.example.com
        ServerAlias     example.com
        DocumentRoot    /var/www/html/www.example.com/
</VirtualHost>

<VirtualHost _default_:443>
        ServerName      www.example.com
        ServerAlias     example.com
        DocumentRoot    /var/www/html/www.example.com/
        SSLEngine on
        SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        SSLHonorCipherOrder On
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff
        SSLCompression off
        SSLUseStapling on
        SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
        SSLCACertificateFile /etc/letsencrypt/live/www.example.com/chain.pem
</VirtualHost>
Bob
  • 5,805
  • 7
  • 25
  • Wouldn't that still result in the browser getting a message about the example.com cert not matching the requested site? I mean, isn't this just substituting a known default, to prevent a "first site" selection by the Virtual Host Matching process, which might return what seems like a "random" site selection to anyone who doesn't know that process? If that's the case, there is still a mismatch error. No? – TonyG Sep 30 '22 at 19:09