How do I prevent Apache from serving a HTTPS site when it doesn't match the requested VirtualHost Name?

Question

I'm using Apache2 and named virtual hosts to serve two different dotcom's (exampleone.com and exampletwo.com) from one IP address. One site (exampleone.com should be HTTP and HTTPS, while the other (example2.com) should serve HTTP only.

So far I've gotten their respective HTTP sites working as expected, and I've gotten HTTPS working for the site it's intended for--however when I go to https://exampletwo.com I'm being served https://exampleone.com content and security warnings.

How do I get https://exampletwo.com requests to be rejected?

<VirtualHost 1.2.3.4:80>
    ServerName exampleone.com
    ServerAlias *.exampleone.com
    DocumentRoot /var/www/exampleone.com
    <Directory /var/www/exampleone.com>
            Options MultiViews
            AllowOverride None
            Order allow,deny
            allow from all
    </Directory>
    CustomLog /var/log/apache2/exampleone.log combined
</VirtualHost>

<VirtualHost 1.2.3.4:80>
    ServerName exampletwo.com
    ServerAlias *.exampletwo.com
    DocumentRoot /var/www/exampletwo.com
    <Directory /var/www/exampletwo.com>
            Options MultiViews
            AllowOverride None
            Order allow,deny
            allow from all
    </Directory>
    CustomLog /var/log/apache2/exampletwo.log combined
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost 1.2.3.4:443>
    ServerAdmin admin@exampleone.com
    ServerName exampleone.com
    ServerAlias *.exampleone.com

    DocumentRoot /var/www/exampleone.com

    <Directory /var/www/exampleone.com>
            Options MultiViews
            AllowOverride None
            Order allow,deny
            allow from all
    </Directory>

    CustomLog /var/log/apache2/exampleone-ssl.log combined

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

    #   A self-signed (snakeoil) certificate can be created by installing
    #   the ssl-cert package. See
    #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
    #   If both key and certificate are stored in the same file, only the
    #   SSLCertificateFile directive is needed.
    SSLCertificateFile    /etc/ssl/certs/exampleone.com.crt
    SSLCertificateKeyFile /etc/ssl/private/exampleone.com.key
</VirtualHost>
</IfModule>

score 2 · Accepted Answer · edited Apr 13 '17 at 12:14

2

EDIT : as other pointed out, look at SNI

As explained Here, a server being contacted via https cannot guess before sending its certificate what domain name the client wants to talk to.

If http://exampleone.com is served by https, it means that the first thing a visitor will get from this server is "Hi, my certificate is valid for the name http://exampleone.com", even if you want http://exampletwo.com. Thus, you cannot desactivate https for http://exampletwo.com, nor set up a redirect or whatever that wouldn't lead to a warning for the visitor.

More explanations here

To address your concern, you need two different IP addresses to serve your two domain names.

edited Apr 13 '17 at 12:14

Community

1

answered Jul 02 '13 at 19:06

user2299634

147
4

This is only true when you don't use SNI (server name indication). Modern browsers all support SNI. – Halfgaar Jul 02 '13 at 19:09
SNI is not supported on IE running on Windows XP. Depending on your clients, this may be a significant factor. – ThatGraemeGuy Jul 02 '13 at 19:11

score 2 · Answer 2 · answered Jul 02 '13 at 19:12

You can enable SNI. All you have to do is include a NameVirtualHost *:443 with your Listen 443 statement (In ubuntu apache config, add it to /etc/apache/ports.conf). You can then configure a second SSL virtual host, and give them both a ServerName.

Note: old browsers don't support SNI. No version of IE on Windows XP, for instance. In that case, the IP address per site restriction user2299bla mentions is valid.

How do I prevent Apache from serving a HTTPS site when it doesn't match the requested VirtualHost Name?

2 Answers2