-1

I have configured Vhost on apache2.it is a name based configuration. First domain is ssl-secure and second one is non ssl-secure site.All are working fine if hit in browser address bar https://www.domain1.com/page1/ and http://domain2.com/page2/ . but if i try to access https://domain2.com/page1/ and try to load with unsafe page1 is open while it not available on domain2.com.

if I check from ssl checker domain2 also get a same ssl certificate

My expectation is it should not load page1 because it is not exists.and also if check from ssl checker should not found ssl-certificate any more.How to prevent this please any one can guess. thanks in advance.

my configration is in available in folder "/etc/apache2/sites-available" example below domain1.com.conf

<VirtualHost *:80>
     ServerName  domain1.com
     ServerAlias www.domain1.com
     DocumentRoot /var/www/domain1.com/public_html

</VirtualHost>
<VirtualHost *:443>
     ServerName  domain1.com
     ServerAlias *.domain1.com
     DocumentRoot /var/www/domain1.com/public_html
     SSLCertificateFile "path/domain1_com.crt"
     SSLCertificateKeyFile "path/domain1_.key"
     SSLCACertificateFile "path/domain1.ca-bundle"
</VirtualHost>

domain2.com.conf

<VirtualHost *:80>
     ServerName  domain2.com
     ServerAlias *.domain2.com
     DocumentRoot /var/www/domain2.com/public_html

</VirtualHost>
sandysandeep441
  • 1
  • 1

2 Answers2

0

Apache always has a default SSL host. In this case it will be the domain1.com vhost, because there probably isn't another one.

There are two approaches.

  1. Set a different default vhost with just a warning / message.

The first config lexically wins. So, if you have a 0000.conf it will ordinarily become the default vhost. You can put a warning message there and redirect all requests to it with mod_rewrite.

    RewriteEngine on
    RewriteRule ^/?warning\.html$ - [L]
    RewriteRule .* /warning.html [L]
  1. In your vhost filter the Host header with mod_rewrite and display a failure or message to "reject" other Host headers.
    RewriteEngine on
    RewriteCond %{HTTP_HOST} !^your\.host$
    RewriteCond %{HTTP_HOST} !^www\.your\.host$
    RewriteRule .* - [F]

Of course people will only see any server response when they accept the SSL warning first.

Gerrit
  • 1,347
  • 7
  • 8
0

Solution

In my case i have change mixed type of configuration name based and ip based.For ssl secure site is a ip based configuration.

Step1: Assign to ubuntu server multiple ip address.

Step2: register DNS with separate ip address.All secure domain has seprate ip address rest of the domain non ssl to assign one ip address for each.

Step3: check your local IP in terminal "hostname -I"

Step4: Replace '*' with local IP address

it will restrict to load domain2 over the https throw 404

sandysandeep441
  • 1
  • 1