How to disable https access to specific virtual hosts?

Question

Alright, so I have an Apache server set up with the following directives:

NameVirtualHost *:80

<VirtualHost *:80>  
ServerName example1.com  
ServerAlias www.example1.com  
DocumentRoot /var/www/html
</VirtualHost>

<VirtualHost *:80>
ServerName example2.com
ServerAlias *.example2.com
DocumentRoot /var/www/example2
</VirtualHost>

<VirtualHost example1.com:443>
DocumentRoot /var/www/html
ServerName example1.com:443
SSLEngine on
...
</VirtualHosts>

So example1.com has SSL support, and can be accessed either via http:// example1.com or https:// example1.com. However, this has the unintended side effect of showing https:// example1.com when I visit https:// example2.com in my browser. What I want to do is basically disable https:// example2.com somehow or re-direct it to http:// example2.com so I don't get a warning and the wrong site when I visit it.

score 6 · Accepted Answer · answered Feb 23 '13 at 09:06

6

You won't be able to avoid getting a warning, unless example1 and example2 are on different IP addresses, or you get an SSL certificate covering both names -- an error page or redirect can't happen until after the SSL connection is established.

That being said, something along these lines should work:

NameVirtualHost *:443
<VirtualHost *:443>
  ServerName example1.com
  SSLEngine on
  #...
</VirtualHost>
<VirtualHost *:443>
  ServerName example2.com
  SSLEngine on
  # same certificate config here as on example1, unless you're wanting to use TLS SNI
  # then, let's redirect the user to non-SSL
  Redirect permanent / http://example2.com/
</VirtualHost>

answered Feb 23 '13 at 09:06

Shane Madden

114,520
13
181
251

Thanks! I think I was missing the NameVirtualHost directive and Apache thought I was trying to make two virtual hosts conflicting each other. Interestingly, Chrome is not throwing a warning over this redirect... But I'm not worried about that, just don't want my SSL site showing up under other domain names. – nearengine Feb 23 '13 at 10:12
Is not same than add invalid certs to fallback to non-ssl? I guess you can directly append _fake to the name of the certs on your vhost directive. – m3nda Mar 01 '15 at 09:34

score 0 · Answer 2 · answered Feb 23 '13 at 07:35

i do not think you should put :443 on ServerName example1.com:443

these should be right configure

<VirtualHost example1.com:443> //change example1.com to ip address is a good habit
DocumentRoot /var/www/html
ServerName example1.com
SSLEngine on
...
</VirtualHosts>

score 0 · Answer 3 · answered Feb 26 '13 at 12:24

0

You need to have Server Name Indication (SNI) to accomplish this. Please refer the link: http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI for details.

answered Feb 26 '13 at 12:24

Karthikeyan

11
1

1

Down voted because you didn't provide an answer or example, only a link (which isn't guaranteed to be there permanently) – Chris Bloom Sep 12 '14 at 15:00

How to disable https access to specific virtual hosts?

3 Answers3

Linked