0

I want the server to respond to https://abc.def.com, but not to https://def.com, while still serving http://def.com when both domains point to the same IP address.

I currently have a configuration something like that:

<IfModule mod_ssl.c>
  Listen 1.2.3.4:443
  <VirtualHost 1.2.3.4:443>
    ServerName abc.def.com
    [SSL on, key & cert file, etc.]
    [...]
  </VirtualHost>
</IfModule>

The site is working as expected and so far everything is fine, but for some reason the server also responds to https://def.com and serves the certificate for abc.def.com instead of refusing the connection although this is not configured anywhere. The default-ssl.conf is disabled.

Any idea on how to tell the server to not serve a certificate but refuse the connection for non-configured domains? I think this should be somehow related to SNI, but I'm not sure if and how it is possible.

David
  • 103
  • 5
  • You have to use two IP addresses, one of which does not answer on port 443. – Michael Hampton Nov 13 '15 at 10:56
  • What about SNI? – David Nov 13 '15 at 10:58
  • What does SNI have to do with anything? – Michael Hampton Nov 13 '15 at 11:00
  • "Server Name Indication (SNI) is an extension to the TLS computer networking protocol[1] by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process." [https://en.wikipedia.org/wiki/Server_Name_Indication] -> Shouldn't the server be able to determine if it has to respond to that domain or not before delivering an invalid certificate and instead refuse the connection? – David Nov 13 '15 at 11:03
  • 1
    SNI doesn't help you here, because Apache has already answered the connection and is committed to respond with some virtual host. – Michael Hampton Nov 13 '15 at 11:08
  • Okay, that seems to make sense. Would it be possible to provoke another generic browser error (just like "connection refused" or "ssl connection error") rather than that quite intimidating (to unaware users) "insecure connection" thing? Would it be possible to configure Apache to interrupt the handshake if the domain doesn't match any of the configured? – David Nov 13 '15 at 11:16
  • Go back to my very first comment. – Michael Hampton Nov 13 '15 at 11:17
  • Sadly this is not an option, I only have one IP address and I can not get a second one. – David Nov 13 '15 at 11:21
  • 1
    I guess the next step is to become an IPv6 advocate... – Michael Hampton Nov 13 '15 at 11:23

3 Answers3

0

You can do it using trafic redirect to http

 <VirtualHost 1.2.3.4:443>
    ServerName def.com
    Redirect 301 / http://def.com
  </VirtualHost>

Or using a rewrite rule

RewriteCond %{HTTPS} on
RewriteCond %{SERVER_NAME} ^def.com
RewriteRule .* http://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
Froggiz
  • 3,043
  • 1
  • 19
  • 30
  • This would not prevent Apache from responding to the original domain and prividing an invalid certificate at all. – David Nov 13 '15 at 11:59
  • As you are using same IP for both server and Listening on port 443, i don't see how you could do better.You could try to put `def.com` virtual host on port `80` before the command `listen 443`, but i dunno if it can works. Check enabled port config file to see if 443 is not already enabled into it. – Froggiz Nov 13 '15 at 12:27
0

Apache config looks good, you can fix it at DNS level.

Configure your host to resolve abc.def.com but not def.com by editing your local hosts file and removing the entry

1.2.3.4 def.com
Ra_
  • 677
  • 4
  • 9
0

Not possible. Apache will answer in default host if specific config does not exist for that hostname. And, until the secure side of the connection is set up with a valid cert, you can't control what is sent back.

So only options are:

  1. Have a cert which is valid for def.com. At this point you can redirect back to http, but if gone to hassle of getting cert then why bother? Note certs can be obtained for cheap (or even free!).

  2. Separate IP address.

Barry Pollard
  • 4,591
  • 15
  • 26