Virtualhost one https site, the rest http

Question

I have a linode server with Apache2 running a handful of sites with virtualhosting.

All sites work fine on port 80, but one site has a ssl certificate and also runs okay.

My problem is as follows:

The non-https sites, if visiting https://domain.com - show the contents of the only secure site...

Is there a way of disabling the *:443 match for these non-secure sites?

Thanks!

EDIT (more information):

Here's a typical config in sites-available for a normal insecure http site:

<VirtualHost *:80>
  ServerName  www.insecure.com
  ServerAlias insecure.com

  ...

</VirtualHost>

The secure https site is as follows:

<VirtualHost *:80>
   ServerName www.secure.com
   Redirect permanent / https://secure.com/
</VirtualHost>

<VirtualHost *:80>
   ServerName secure.com
   RedirectMatch permanent ^/(.*) https://secure.com/$1
</VirtualHost>

<VirtualHost *:443>
   SSLEngine on
   SSLProtocol all

   SSLCertificateChainFile ...
   SSLCertificateFile ...
   SSLCertificateKeyFile ...
   SSLCACertificateFile ...

   ServerName  secure.com
   ServerAlias secure.com

   ...

</VirtualHost>

So, visiting:

http:/insecure.com - works
http:/www.insecure.com - works
http:/secure.com - redirects to https:/secure.com - works
http:/www.secure.com - redirects to https:/secure.com - works
https:/insecure.com - shows https:/secure.com - WRONG!

Can you please add the relevant portions of your configuration to the Q? — dawud, Jun 27 '13 at 20:54
Let me know if that helps clarify my position. Thanks @dawud! — RJP1, Jun 28 '13 at 09:11

score 0 · Answer 1 · answered Jun 28 '13 at 11:36

The Apache docs suggest specifying the non-SSL port number on the NameVirtualHost line, like this:

NameVirtualHost 192.168.1.1:80

Does that help? It should stop the non-secure site matching. Otherwise, try moving the secure site to be the first of the VirtualHosts.

Mike G · Answer 2 · 2013-06-28T11:59:20.210

As Peter said, bind the VirtualHost to an explicit IP. If you have multiple IPs that should solve your problem right there.

If you are running on a single IP, make sure you define an explicit ServerName in your :443 VirtualHost(s).

Also keep in mind that Apache has default VirtualHosts, which could also be working against you. Whatever VirtualHost is defined first for a given port becomes the default. I often find myself defining explicit VirtualHosts to account for that. Perhaps in your scenario you can create a throw-away VirtualHost and wire up a self-signed cert. That should allow your explicitly defined sites to live on their own.

Edit: I take back my comment on the ServerName after taking into account Doon's comment.

You might want to look into NameBasedSSLVHosts on the Apache wiki, but I don't think this solves your problem since it appears by your examples different domains are used. This would work if they were subdomains sharing a wildcard cert.

Thanks Mike. What I did try was removing the secure 443 definition (and allow the default settings to prevail) - it fixed the issue - as in the insecure https requests got routed to the default IP htdocs. I'll see if some of your suggestions work this evening. Thanks again! — RJP1, Jun 28 '13 at 18:41

score 0 · Answer 3 · answered Jun 28 '13 at 11:49

The problem is that HTTPS doesn't use the host header, since the certificate exchange happens when the client connects to 443. So while you can use mod_rewrite to redirect https://insecure.com back to http://insecure.com based on the HTTP_HOST. it will be after the user is presented with the certificate warning about hostname mismatch.

But something like this should work in your https config block

RewriteCond %{HTTP_HOST}   !^secure\.com [NC]
RewriteCond %{HTTP_HOST}   !^$
RewriteRule ^/(.*)         http://%{HTTP_HOST}/$1 [L,R]

Virtualhost one https site, the rest http

3 Answers3