2

I have installed SSL on a subdomain of my site. Everything works perfectly, except this strange behavior.

If I point my browser at the following locations, these document roots are served:

http://domain.com       -> /var/www     [GOOD]
https://sub.domain.com  -> /media/sub   [GOOD]
https://domain.com      -> /media/sub   [BAD]

The last URL on that list should serve /var/www, not /media/sub. In other words, I would like to safely redirect users from https://domain.com to http://domain.com.

Here are my VirtualHosts.

domain.com

<VirtualHost *:80>
    ServerName domain.com
    DocumentRoot /var/www
</VirtualHost>

sub.domain.com

<VirtualHost *:443>
    ServerName sub.domain.com:443
    DocumentRoot /media/sub
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/apache.crt
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key
</VirtualHost>

What I've Tried

It was suggested to me that https://domain.com is serving the wrong VirtualHost because there is no *:443 VirtualHost with a ServerName of domain.com.

To fix this, I have tried doing this:

domain.com

<VirtualHost *:80>
    ServerName domain.com
    DocumentRoot /var/www
</VirtualHost>
<VirtualHost *:443>
    ServerName domain.com
    Redirect / http://domain.com/
</VirtualHost>

I feel like this should work. (It should redirect https requests to http, thus serving the correct document root.)

However, when I do this, Apache2 will not even start. It gives me this error:

[error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)

Thanks a lot in advance for any guidance.

Leng
  • 125
  • 1
  • 5

1 Answers1

3

This will not work. This is not how SSL works. For you to enable SSL, you must have a SSLEngine On and the directives for server certificate and key.

Just by listening on 443 will not help.

If you are not planning to run SSL on your domain.com then ideally you should not be trying to access it over HTTPS. Is there a valid use case why your users will try access domain.com over https?

Mukul
  • 42
  • 3
  • "This will not work." Yeah, no kidding. That's why I'm posting a question on ServerFault.com. I asked a question because I'm looking for solutions, which means I'm already well aware that my solution doesn't work. If a user types in `https://` they need to be safely redirected to `http://`, not served the wrong website. There has to be a solution for this, and I'm sure this community has someone who knows what it is. – Leng Jan 21 '14 at 22:18
  • Of course there is a solution to this, but not at Apache level. For Apache to work, it needs a fully qualified section for SSL. Typically, I have redirected the traffic at a higher level at the load balancer that I used. AFAIK, this will not work in Apache. I will be very happy to know if someone in community has made this to work. – Mukul Jan 21 '14 at 22:21
  • The Apache developers themselves propose a solution to the opposite of my problem here: [link](http://httpd.apache.org/docs/current/rewrite/avoid.html) (look at the first example). I'm just looking for that, in reverse. I have to say I'd be very, very surprised if it's impossible to configure a webserver to do this. It should be really simple. – Leng Jan 21 '14 at 22:24
  • I don't care what level it's at, I just need a solution. The solution doesn't have to use Apache. I can install or configure whatever necessary to do this. – Leng Jan 21 '14 at 22:25
  • The reason it is not working for you is because you do not have a certificate for domain.com, but have it for sub1.domain.com. SSL section in apache does not work without the key and certificate information. The example in apache site is something I have used several times. An easy solution for you would be to get a wildcard certificate which will make both domain.com and sub1.domain.com sites HTTPS and then you can do you rewrite from HTTPS to HTTP. The load balancer solution I implemented was on hardware load balancer. – Mukul Jan 21 '14 at 22:37