0

I am wondering how is it properly set "default-ssl.conf" parameters, related to the VPS main domain or FQDN (in this example "server.foo.org").

In particular into "default-ssl.conf" is it necessary to indicate the ServerName and aventually ServerAlias values?

Thanks

Example:

Whithout ServerName:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/html
[ETC..]

With ServerName:

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerAdmin webmaster@localhost
                ServerName foo.org
                ServerAlias server.foo.org www.server.foo.org www.foo.org
                DocumentRoot /var/www/html
[ETC..]
Davide Marchi
  • 1
  • 4

1 Answers1

0

Using virtual host fall-back (default_server with apache2) increase the risk of virtual host confusion attacks.

One way to prevent these attacks is to make sure the web-server only answer to the domains he is supposed to. (if he can answer for a domain he is not supposed to but covered by the presented certificate in the default vhost, then it may be vulnerable)

So it's better to have a Virtual host dedicated to your domains, and separately the default one.

Papers:

http://antoine.delignat-lavaud.fr/doc/www15.pdf3

https://bh.ht.vc/vhost_confusion.pdf2

Tom
  • 4,666
  • 2
  • 29
  • 48
  • Hi Tom, newb site admin here. I recently set up my apache2 site to use SSL/HTTPS, and my site gets served well to my satisfaction *except* that I cannot figure out how to get the default site to work (I get forbidden errors—I *suspect* because the default site can cash in on the certification for the FQDN). Is there a resource you could point me at for setting up default sites under ssl? – Alexis Sep 20 '17 at 22:01
  • 1
    @Alexis https://serverfault.com/questions/82306/apache-default-catch-all-virtual-host – Tom Sep 21 '17 at 08:37