Apache how to prevent access on https and http without a matching domain

Question

Here are my requirements:

Host multiple sites on same server. Some sites use SSL others do not.(port 443 and 80)
If the domains don’t match then return a 403 or custom response

The server is a LAMP stack with Ubuntu using Apache 2.4+. Currently my configuration is not working properly. I’ve added the default VirtualHost but if I browse to a domain not on the server in HTTPS (https://thisisnotasite.com) it will offer me the ability to procced to the site I want it to go to 403 instead. And if I add a * instead of port 80 to the default-403.conf, it will always load the actual site. With port 80 all HTTP requests are redirected to 403. However if I add a site that is not SSL the system will always go there. In my apache.conf file I have changed the import line for virtual host to each file so I have control over load sequence. (snippets below)

#Include the virtual host configurations:
IncludeOptional sites-enabled/default-403.conf
IncludeOptional sites-enabled/Site1.conf
IncludeOptional sites-enabled/SSLSite2.conf
IncludeOptional sites-enabled/SSLSite3.conf
IncludeOptional sites-enabled/Site4.conf

Default-403.conf

<VirtualHost *:80>
        ServerAdmin Admin@admin.com
        ServerName catchAll
        Redirect 403 /
        UseCanonicalName Off
        ErrorLog ${APACHE_LOG_DIR}/catchAllError.log
        CustomLog ${APACHE_LOG_DIR}/catchAll.log combined
</VirtualHost>

Site1.conf

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName  site1.com
        ServerAlias www.site1.com

        Redirect permanent "/" "https://www.site3.com/"

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

SSLSite2 (this is an old site and site3 is the new one)

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerAdmin Admin@admin.com
                ServerName  site2.com
                ServerAlias www.site2.com

                Redirect permanent "www.site2.com" "https://www.site3.com/"
                Redirect permanent "site2.com" "https://www.site3.com/"

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/site2.log combined

                SSLEngine on

                SSLCertificateFile      /etc/ssl/certs/site2.cert
                SSLCertificateKeyFile /etc/ssl/private/site2.key

                SSLCertificateChainFile /etc/ssl/certs/site2.csr

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
                </FilesMatch>

                <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
                </Directory>

                 BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        </VirtualHost>
</IfModule>

SSLSite3

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerAdmin admin@admin.com
                ServerName  site3.com
                ServerAlias www.site3.com

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/ssl/certs/site3.crt
                SSLCertificateKeyFile /etc/ssl/private/site3.key

                SSLCertificateChainFile /etc/ssl/certs/sit3.crt

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
                 BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0

        </VirtualHost>
</IfModule>

Site4.conf

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName  site4.com
        ServerAlias www.site4.com

        DocumentRoot /var/www/site2

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

As of right not site1 and site2 redirect to site3 and if I add import for site 4 then every request gets send to site4. If I change default-403 to have a * instead of port 80 then everything goes to site4.

Any help will be greatly appreciated.

Please note I've only been exposed to Apache for about 2 months so if there is a much better way to handle this please let me know.

Provide the true names, do not use obfuscation. – Patrick Mevzek Nov 30 '17 at 21:31 — Patrick Mevzek, Nov 30 '17 at 21:31

score 1 · Answer 1 · answered Dec 01 '17 at 08:34

You need to define one "default" virtualhost for *:80 and another one for *:443 and a key+cert pair, otherwise your SSL requests will land in the first defined SSL virtualhost, so to your default SSL virtualhost add something like this (this includes the typical way to deny access instead of the redirect) with all the bells and whistles:

<VirtualHost *:443>
        ServerAdmin Admin@admin.com
        ServerName catchAll
        DocumentRoot /path/to/emptydocroot
        UseCanonicalName Off # this is the default not really needed here
                             # unless server config has it set to on

        SSLEngine on
        SSLCertificateKeyFile /path/to/bogus.key
        SSLCertificateFile /path/to/bogus.crt
        ErrorLog ${APACHE_LOG_DIR}/catchAllError-ssl.log
        CustomLog ${APACHE_LOG_DIR}/catchAll-ssl.log combined

        <Directory /path/to/emptydocroot>
              Options none
              AllowOverride none
              Require all denied
       </Directory>
</VirtualHost>

score 1 · Answer 2 · answered Dec 01 '17 at 10:51

I'm pretty sure the Ubuntu apache2 package already creates default site files on installation.

If they are missing on your server, you might try using a virtual machine (e.g. VirtualBox or Docker) to set up a fresh installation to play around with on your desktop.

Look in /etc/apache2/site-available (not sites-enabled, this will just contain symbolic links to site-available. If the site is not activated, the link will be missing).

You should see something like:

000-default.conf (use this for http / port 80)
default-ssl.conf (use this for https / port 443)

In order to activate them, use a2ensite:

a2ensite default-ssl

Load your changes:

service apache2 reload

Once they are activated, you should see them in /etc/apache2/sites-enabled.

Once you've got that working, you can add restrictions for the 403.

P.S. Sometimes it is better to start from scratch on a clean system then trying to repair things once they got tangled up.

score 0 · Accepted Answer · answered Dec 04 '17 at 14:15

I've used both methods from ezra-s and wirap.

In my solution I started a fresh VM and copied the 000-default.conf and defualt-ssl.conf to the server i'm working on. Then modified the apache2.conf file to have the directory permission denied to get the 403 response and use the default virtual host files.

Thanks for the help!!!

Apache how to prevent access on https and http without a matching domain

3 Answers3