0

I would like to serve SNI-enabled clients that send the wrong host name a 400 Bad Request, but Apache always serves the default virtual host in this situation. I cannot add a default virtual host that sends the 400 Bad Request status, because SNI-disabled clients will always get this virtual host.

It seems that the ServerName virtual host directive is ignored for SNI-disabled clients when I enable name based virtual hosts on an SNI-enabled Apache installation.

See the following virtual host configuration:

NameVirtualHost 192.168.4.46:443
<VirtualHost 192.168.4.46:443>
        ServerName 192.168.4.46
        DocumentRoot /var/www/error-page/

        SSLEngine on
        SSLCertificateFile /path/to/certificate.crt
        SSLCertificateKeyFile /path/to/certificate.key
</VirtualHost>
<VirtualHost 192.168.4.46:443>
        ServerName test-ssl
        DocumentRoot /var/www/valid-website/

        SSLEngine on
        SSLCertificateFile /path/to/certificate.crt
        SSLCertificateKeyFile /path/to/certificate.key
</VirtualHost>

If I use an SNI-disabled client, I would get the error page regardless of the Host: header I send in the request. Because I use the same certificate in both virtual hosts, I would like SNI-disabled clients to be able to still reach the second virtual host based on a match with ServerName.

If I'd switch the position of the virtual hosts, the website would be the default virtual host and then SNI-enabled clients would get the website instead of the error if they supply a wrong Host: in the headers.

So basically, how do I get Apache to serve an error for every wrong Host: header regardless of SNI support, while still serving the website when using an SNI-disabled client and serving the right virtual host when using an SNI-enabled client?

Jelle Raaijmakers
  • 3
  • 2
  • The `Host` header sent by an SNI-disabled client should still be respected, which I've found to be the case in my testing - the default virtual host just selects what certificate is sent to SNI-disabled clients. Are you saying you're seeing it being served the wrong vhost in your testing, or are you just theorizing that it would be wrong? – Shane Madden Feb 25 '14 at 17:17
  • 1
    It seems you're correct - requests sent by SNI-disabled clients still get the right virtual host served matched by the `Host` header. I think my tests were flawed. – Jelle Raaijmakers Feb 26 '14 at 10:27

2 Answers2

0

Remove the ServerName in the virtualHost you want to use in error mode. It should works

Dom
  • 6,743
  • 1
  • 20
  • 24
0

Shortest answer I believe will be:

MOD_REWRITE

Set a cond to inspect the host header; If it is not correct, forward the request off to the error page.

Your non-error site will be the default and the rewrite-rule will live in this virtual host.

If there do turn out to be 'shorter/easier' options, I suspect this option will provide clear logic into how requests should be processed. This solution assumes that you want ALL requests regardless of SNI status to provide a matching host header for a given virtual host.

Daniel Widrick
  • 3,488
  • 2
  • 13
  • 27
  • This is perfect if you want the default virtual host to enforce the server name. However, my original question was flawed, as SNI-disabled clients _do_ in fact honor the `Host` header. – Jelle Raaijmakers Feb 26 '14 at 10:28