2

Previously I asked a question here: Single domain SSL presented for all domains on Shared IP about setting up secure and non-secure domains on a single IP.

Opinions were mixed, but it appears SNI hold the solution. Unfortunately I cannot get it work as required.

I would like my server to only send the certificate for domaina.com and no other host names, even if this means sending a 403 error to non-SNI clients. My current configuration on vanilla Ubuntu Server 12.04 LTS is below:

Ports.conf

…
<IfModule mod_ssl.c>
    NameVirtualHost *:443
    Listen 443
</IfModule>
…

Domain A Virtual Host

<VirtualHost *:80>
    ServerName   domaina.com
    ServerAlias  www.domaina.com
    DocumentRoot /var/www/domaina.com/public
    ErrorLog     /var/www/domaina.com/logs/error.log
    CustomLog    /var/www/domaina.com/logs/access.log combined
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName   domaina.com
    ServerAlias  www.domaina.com
    DocumentRoot /var/www/domaina.com/public
    SSLEngine on
    SSLCertificateFile      /etc/apache2/ssl/domaina.com.crt
    SSLCertificateKeyFile   /etc/apache2/ssl/domaina.key
    SSLCertificateChainFile /etc/apache2/ssl/domaina.com.ca-bundle
</VirtualHost>
</IfModule>

Domain B Virtual Host

<VirtualHost *:80>
    ServerName   domainb.com
    ServerAlias  www.domainb.com
    DocumentRoot /var/www/domainb.com/public
    ErrorLog     /var/www/domainb.com/logs/error.log
    CustomLog    /var/www/domainb.com/logs/access.log combined
</VirtualHost>

apache2ctl -S

VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server domaina.com (/etc/apache2/sites-enabled/domaina.com:12)
         port 443 namevhost domaina.com (/etc/apache2/sites-enabled/domaina.com:12)
*:80                   is a NameVirtualHost
         default server domaina.com (/etc/apache2/sites-enabled/domaina.com:3)
         port 80 namevhost domaina.com (/etc/apache2/sites-enabled/domaina.com:3)
         port 80 namevhost domainb.com (/etc/apache2/sites-enabled/domainb.com:1)
Syntax OK

How can you get rid of the defaults?

Community
  • 1
esryl
  • 135
  • 5

2 Answers2

5

You literally cannot do what you are asking while keeping both domains on the same IP address.

As it is now, you have both domains (domaina.com and domainb.com) on the same IP address. Then you have opened port 80 for HTTP and port 443 for HTTPS. As you have noticed, the port is open for all domains on the server; it can't be closed for just one domain while remaining open for any other.

If you do not want SSL to be open at all for domainb.com, you will need to put domainb.com on a separate IP address.

Jenny D
  • 27,780
  • 21
  • 75
  • 114
  • Thank you, I guess the SNI is only OK for multiple SSL hosts rather than a mix. – esryl May 25 '13 at 14:05
  • 2
    To clarify: if you want to have different SSL hosts on the same IP, then SNI is your friend. If you want some domains to have SSL and others not to have it, then you need to separate them on the IP level. – Jenny D May 25 '13 at 14:10
0

Alternately, you could just use .htaccess to redirect requests appropriately. Not the best solution, but if you have to use a single IP, that might work for you.

So, domaina.com's .htaccess might have something like

#redirect domainb https requests
RewriteCond %{HTTP_HOST} ^domainb.com$
RewriteRule ^(.*)$ http://domainb.com%{REQUEST_URI} [L,R=301]
Sam Ward
  • 9
  • 1