How to disable catch-all on a ssl virtual host

Question

My virtual host looks like following:

<VirtualHost example.com:443>
  SSLEngine on
  SSLCertificateFile /etc/apache2/ssl-keys/example/example.crt
  SSLCertificateKeyFile /etc/apache2/ssl-keys/example/example.key
  SSLCACertificateFile /etc/apache2/ssl-keys/example/COMODO_EV_SSL.ca-bundle.crt

  SSLProtocol -ALL -SSLv3 +TLSv1
  SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
  BrowserMatch ".*MSIE.*" \
     nokeepalive ssl-unclean-shutdown \
     downgrade-1.0 force-response-1.0

  CustomLog logs/ssl_request_log \
     "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  DocumentRoot /home/example/www/current/web
  ServerName example.com
  ServerAlias www.example.com
  <IfModule php5_module>
    php_value newrelic.appname "Example"
  </IfModule>
</VirtualHost>

If I go to https://example.com all is good, however for unknown for me reason if I go to any other domain that is pointing to the same server like https://anydomain.com then the vhost above is responding. Obviously browser says that the certificate does not match with a domain, but after ignoring it I can see the website from https://example.com under https://anydomain.com, even that under http://anydomain.com I have totally different website.

I do know that to be able to use https on http://anydomain.com I would need to set-up another certificate with another IP address - and that's not my problem.

I would like to achieve one of the following options:

https://anydomain.com should point to http://anydomain.com
https://anydomain.com returns 404 error

How do I achieve this? Thank you in advance.

score 1 · Answer 1 · answered May 20 '15 at 10:09

If you define only one vhost for your port, it will be treated by apache as a default vhost and served to any client that connects to it.

What you therefore need is to add another vhost, indicate it should be treated as the default one, and set it up so that it will 404 clients. You should use the same certificate as the one for example.com, because it will be used even for clients accessing https://example.com if they don't use SNI.

So that should look like this :

<VirtualHost _default_:443>
  SSLEngine on
  SSLCertificateFile /etc/apache2/ssl-keys/example/example.crt
  SSLCertificateKeyFile /etc/apache2/ssl-keys/example/example.key
  SSLCACertificateFile /etc/apache2/ssl-keys/example/COMODO_EV_SSL.ca-bundle.crt

  SSLProtocol -ALL -SSLv3 +TLSv1
  SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

  Redirect 404 /
</VirtualHost>

Note that if you are not concerned about clients without SNI (they tend to be few of those nowadays), you could very well have any number of https websites with different TLS certificates on the same ip. The limitation to virtual ssl hosting is due to the fact that non-SNI clients don't advertise to the SSL layer which vhost they wish to access before the certificate has to be offered.

Thank you for your answer. I have added new vhost with the data as in your answer and I have pointed the paths to correct files however it gave no result. — Tomasz Ozga, May 22 '15 at 15:20
+1 for mentioning `Redirect 404 /` That did the trick for me, thanks! — Dr. Gianluigi Zane Zanettini, Apr 05 '16 at 21:49

How to disable catch-all on a ssl virtual host

1 Answers1