How to tune Apache to show only one host on HTTPS protocol

Question

I have a Web server Apache on FreeBSD and want to bind SSL only to one of many domains. Now my configuration is

NameVirtualHost *:80

<VirtualHost *:80>
DocumentRoot /home/web/web/domain01.com
ServerName domain01.com
ServerAlias www.domain01.com
</VirtualHost>

<VirtualHost *:80>
DocumentRoot /home/web/web/ssldomain.com
ServerName ssldomain.com
ServerAlias www.ssldomain.com
</VirtualHost>

<VirtualHost *:443>
DocumentRoot "/home/web/web/ssldomain.com"
ServerName www.ssldomain.com 
ServerAlias ssldomain.com
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/local/etc/apache22/ssl/www.ssldomain.com.crt"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl/private.key"
SSLCertificateChainFile "/usr/local/etc/apache22/ssl/intermediate.crt"
</VirtualHost>

All ok, but in browser on https://www.domain01.com/ shows pages of ssldomain.com site. It is bad.

How can I tune Apache to prevent showing pages of ssldomain.com on https://www.domain01.com in browser.

UPD: I was trying to define VirtualHosts :80 and :443 for both domains. 1) using original SSL of ssldomain.com for both domains; 2) using original SSL for ssldomain.com and self-signed SSL for domain01.com. In both case browser shows error of certificate on HTTPS but pages are right.

Config for this two cases

Include etc/apache22/extra/httpd-ssl.conf

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
DocumentRoot /home/web/web/domain01.com
ServerName domain01.com
ServerAlias www.domain01.com
</VirtualHost>

<VirtualHost *:443>
DocumentRoot /home/web/web/domain01.com
ServerName domain01.com
ServerAlias www.domain01.com
SSLEngine on
SSLCertificateFile "/usr/local/etc/apache22/ssl/domain01.com/server.cert"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl/domain01.com/server.key"
# This is for second case (of course 2 lines above are comments)
# SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# SSLCertificateFile "/usr/local/etc/apache22/ssl/www.ssldomain.com.crt"
# SSLCertificateKeyFile "/usr/local/etc/apache22/ssl/private.key"
# SSLCertificateChainFile "/usr/local/etc/apache22/ssl/intermediate.crt"

#Redirect permanent / http://www.domain01.com/
</VirtualHost>

<VirtualHost *:80>
DocumentRoot /home/web/web/ssldomain.com
ServerName ssldomain.com
ServerAlias www.ssldomain.com
</VirtualHost>

<VirtualHost *:443>
DocumentRoot "/home/web/web/ssldomain.com"
ServerName www.ssldomain.com 
ServerAlias ssldomain.com
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/local/etc/apache22/ssl/www.ssldomain.com.crt"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl/private.key"
SSLCertificateChainFile "/usr/local/etc/apache22/ssl/intermediate.crt"
</VirtualHost>

With best regards!

Answer 1

Apache will default to the first vhost for that IP (or wild cards that match like the * in this case) and port (443) if it cannot find a vhost with a matching ServerName or ServerAlias. So you need to set up a separate site for www.domain01.com on port 443, just like you have done www.ssldomain.com:443 so it doesn't fall back to the only one you've got as a default.

This vhost can be set up to redirect back to HTTP if you want (note this redirect is done after the SSL negotiation so still requires a valid cert - every SSL vhost requires a cert to be set up for it, though you can use the same cert if it's valid for that vhost too).

On that point, how is it that you are not getting a cert error on https://www.domain01.com? I would guess that either you are (and only if you ignore it do you see www.ssldomain.com content), or your cert covers both domains in (in which case setting this up as a separate vhost and redirecting back to http is definitely the way to go).

Btw, contrary to popular belief you do not need a separate IP address to set up multiple SSL hosts on the Apache instance - even for old browsers which do not support SNI. There is another work around. See here for more details: Disabling SNI for specific virtualhost on Apache

Answer 2

This works for me, I only change order of domains - the first is ssldomain.com with original SSL certificate, and the second is domain01.com with the same SSL certificate and redirect.

Include etc/apache22/extra/httpd-ssl.conf

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
DocumentRoot /home/web/web/ssldomain.com
ServerName ssldomain.com
ServerAlias www.ssldomain.com
</VirtualHost>

<VirtualHost *:443>
DocumentRoot "/home/web/web/ssldomain.com"
ServerName www.ssldomain.com 
ServerAlias ssldomain.com
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/local/etc/apache22/ssl/www.ssldomain.com.crt"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl/private.key"
SSLCertificateChainFile "/usr/local/etc/apache22/ssl/intermediate.crt"
</VirtualHost>

<VirtualHost *:80>
DocumentRoot /home/web/web/domain01.com
ServerName domain01.com
ServerAlias www.domain01.com
</VirtualHost>

<VirtualHost *:443>
DocumentRoot /home/web/web/domain01.com
ServerName domain01.com
ServerAlias www.domain01.com
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/local/etc/apache22/ssl/www.ssldomain.com.crt"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl/private.key"
SSLCertificateChainFile "/usr/local/etc/apache22/ssl/intermediate.crt"

Redirect permanent / http://www.domain01.com/
</VirtualHost>

Special thanks to @BazzaDP.