0

Running Apache/2.4.16 (Ubuntu). I have a certificate with 5 subdomains (app, cdn, api, m, www/home).

I want undefined subdomains to 404. I guess https://domain.com/404 would be the appropriate place.

How do I do this and avoid "Your connection is not private" warnings?

Is this the correct way to handle this?

My conf looks like this (simplified heavily):

#APP
<VirtualHost _default_:443>

    ServerName app.domain.com
    DocumentRoot /var/www/html/app

</VirtualHost>

#CDN
<VirtualHost _default_:443>

    ServerName cdn.domain.com
    DocumentRoot /var/www/html/cdn

</VirtualHost>

#API
<VirtualHost _default_:443>

    ServerName api.domain.com
    DocumentRoot /var/www/html/api

</VirtualHost>

#M
<VirtualHost _default_:443>

    ServerName m.domain.com
    DocumentRoot /var/www/html/m

</VirtualHost>

#HOME
<VirtualHost _default_:443>

    ServerName domain.com
    ServerAlias www.domain.com
    DocumentRoot /var/www/html/home

</VirtualHost>
Ty Kroll
  • 101
  • 1

1 Answers1

1

Your question is a bit of an X/Y issue going on here, but I'll explain. You will want to have a virtualhost with an alias / servername of *.domain.com. From here you can set your references to the 404 page as desired.

In order to successfully get rid of the certificate warnings you will need a wildcard SSL certificate listening on that virtualhost. To understand why see any of the various comparisons of SAN/UCC certificate versus a wildcard.. For example, here

Community
  • 1
Tim Brigham
  • 15,465
  • 7
  • 72
  • 113
  • OK. I understand. Thank you. If the other ssl subdomains aren't on my cert, they will always get the security warning. Fair enough. Could this possibly be handled by using explicit CNAMEs for each valid subdomain and then a wildcard CNAME that redirects to https://domain.com/404? – Ty Kroll Dec 30 '15 at 21:14
  • 2
    @TyKroll you can specify separate TLS configuration for different hostnames. You cannot redirect CNAMEs to URLs. CNAMEs map DNS hostnames while URLs are in the HTTP requests sent to the hostnames. If the domain name the browser is connecting to doesn't match the cert's CN they get a TLS error regardless of CNAMEs in DNS. You could have specific certs for customers with custom domains and a wildcard for other customers just using your subdomains. Clients need TLS SNI (mostly ubiquitous in browsers now) for this to work. – Alain O'Dea Dec 30 '15 at 21:33
  • Alright. Understood. People shouldn't be typing in odd subdomains anyway. :) – Ty Kroll Dec 30 '15 at 21:43