2

I have an apache server with one ip address. (on a debian server).

I have several virtualhosts for http and one virtualhost for https

one vhost, redirect traffic to the https vhost and this works fine, something like this

<VirtualHost *:80>
ServerName mymainsite.com
ServerAlias www.mymainsite.com
ServerAlias myothersite.org
ServerAlias www.myothersite.org
    RewriteEngine on
    RewriteRule ^(.*)$ https://www.mymainsite.com$1 [L,R=301]
(...)

I have another vhost for https, like this 

<VirtualHost *:443>
ServerName www.mymainsite.com
(...)

and this works fine, all non https is forwared to https, and that is super.. but then the problem.

some times people go to this url https://www.myothersite.org

and this is answered by the https vhost, and creates a "wrong certificate" error.

Question is: is there a way to prevent this, without using a 2nd ip address, or buying a multi url or wildcard SSL certificate?

edit: just remove some extra text

Hrvoje Špoljar
  • 5,162
  • 25
  • 42
Sverre
  • 723
  • 2
  • 12
  • 23
  • 1
    Your question actually has nothing to do with rewrites or redirects. What you're describing happens _upon connecting_. Just showing your two :443 vhosts would be sufficient. – AD7six Nov 17 '14 at 10:43
  • I was hoping that we could fix this with a rewrite rule – Sverre Nov 18 '14 at 01:44

1 Answers1

2

You need to use SSL extension named Server Name Indication (SNI). This extension will allow server to determine for which named virtual host request was designated for, and patch it through accordingly.

Your apache is probably built with support for SNI but to check it simply setup two name virtual hosts on your IP, port 443 and try to start apache. If your apache does not support SNI error_log will show "You should not use name-based virtual hosts in conjunction with SSL!!" If SNI is built in, then the error log will show "[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)".

Also be aware that browsers need to support SNI as well in order to have this working. Good thing is all major browsers support is

  • Mozilla Firefox 2.0 or later
  • Opera 8.0 or later (with TLS 1.1 enabled)
  • Internet Explorer 7.0 or later (on Vista, not XP)
  • Google Chrome
  • Safari 3.2.1 on Mac OS X 10.5.6

So yes, in short you can have 2 or more different domains with their respective SSL certificates on same IP, just configure other SSL domains much like your first one. If your apache lacks support for SNI you will need to find another apache package or rebuild this one with support for SNI to get it working.

Hrvoje Špoljar
  • 5,162
  • 25
  • 42