0

I'm using Name based Virtual Hosts on ports 80 and 443. Some of the virtual hosts only support port 80. I don't have, and won't be getting certificates for these hostnames.

How can I configure apache to refuse a connection on port 443 to one of the host names?

Eg:

supportsboth.example.com has a certificate, can listen on port 80 and port 443

httponly.example.org does not have a certificate, should be available via regular HTTP only.

The apache configuration has a virtualhost setting entry for supportsboth.example.com on port 443 only.

Trying to connect to httponly.example.com on port 443 makes Apache use the supportsboth.example.com virtual host's certificate and details.

This makes the browser report lots of certificate errors as the host names don't match, and if the user decides to proceed anyway, it still ends up at the wrong site.

What I'd ideally like is a redirect to the HTTP site, but I imagine that would rely on having a valid certificate. My second preference is to simply refuse the connection.

Micheal's answer below of putting the SSL capable names on a separate IP is not available to me as both the domains have already been configured to use the same IP and I'm not in a position to change them.

Gary
  • 105
  • 3

1 Answers1

3

Use a different IP address for the hosts which should never answer on SSL, and ensure that Apache only listens on port 443 for the appropriate IP addresses.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • I would accept this obviously correct answer except that I didn't ask this question soon enough and now the host names are assigned to the same address and I'm not in a position to change that. – Gary Sep 18 '13 at 16:29
  • 3
    Well, then, you will have to find the person who is in a position to change it. – Michael Hampton Sep 18 '13 at 16:30
  • 3
    IF ONLY you could change DNS entries once they've been set up. Sadly, you're stuck with this mistake forever. – MikeyB Sep 18 '13 at 16:33