7

I hope that title is clear.

How do I prevent HTTPS requests for non-ssl-enabled virtual hosts from going to the first ssl-enabled virtualhost (setup is Apache-SNI).

For example, using my abbreviated config below, requests for https://example.com (a non-ssl vhost) are being served by Apache at the ssl-enabled vhost https://example.org. I'd like to disable that behavior and possibly reply with the appropriate HTTP response code (unsure of what that is).

It may not even be possible, but I thought I'd ask.

# I actually have a SNI setup, but it's not demonstrated here.
# I don't think it's relevant in this situation.

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
    ServerName example.org
</VirtualHost>

<VirtualHost *:443>
    ServerName example.org
</VirtualHost>

<VirtualHost *:80>
    ServerName example.com
</VirtualHost>

EDIT: Maybe a mod_rewrite rule in the first ssl-vhost?

Jeff
  • 1,416
  • 3
  • 28
  • 50
  • I can't comment on the actual question but I can say that there isn't an http code for the condition you want. The failure mode when a client attempts to connect with SSL to a non-ssl server is a failure to establish the connection as the server can't handle the ssl handhake the client sends. You can see this by trying `https://some-site.com:80' in your browser. (It would be possible, I suppose, to have an application attempt to handle this but I don't know that any do.) – Etan Reisner Aug 14 '13 at 17:07

2 Answers2

7

As the Apache docs say, when no ServerName matches the hostname give in the web request, the first VirtualHost matching the given IP/port combination will be used.

Thus, you merely need to give a default virtual host that serves no content, or content of your choosing, and it must be the first one parsed by Apache when it loads its configuration.

If you don't want specific hosts to be accessible via https at all, place them on a separate IP address, on which you have configured Apache not to Listen on port 443.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • I was thinking that a mod_rewrite rule in the first SSL vhost redirecting to the proper vhost via http would be good. Alas, I'm a newbie to mod_rewrite. – Jeff Aug 14 '13 at 17:41
  • I saw nothing here that would suggest a rewrite. Are you trying to do something you didn't mention? – Michael Hampton Aug 14 '13 at 17:42
  • Considering my goal is to disable/thwart https requests to non-ssl vhosts, yes, I think mod_rewrite might work. Maybe something like "If https-example.com, Apache sends the request to https-example.org. In https-example.org, make a mod_rewrite rule that sends the client back to HTTP-example.com." Just thinking out loud here. – Jeff Aug 14 '13 at 17:45
  • Rewrite won't help you there. And users will still get nasty certificate warnings. See my edit. – Michael Hampton Aug 14 '13 at 17:47
  • Got it. Seemed like I was asking too much. Time to gather a few nickels together for another IP. If you think up any other suggestions or workarounds, please update your answer. – Jeff Aug 14 '13 at 17:49
  • Ugh. As the docs say "*when we can't serve the right content, we'll serve some random wrong content instead*". Apache, *nobody wants that with SSL*, just close the TCP connection already. – TessellatingHeckler Dec 08 '16 at 21:49
0

I know, it's been a while... But what about the SSLStrictSNIVHostCheck option. As far as I understand, this resolves your issue.

Hansi
  • 211
  • 1
  • 6