I was wondering if I would be able to harden my Apache configuration in such a way it would only respond to one of it's actual vhost configuration (e.g. https://myhost.example.com/) and make it unresponsive to anything but that.
Currently every connection based on IP-address made to the webserver will actually respond with the vhost SSL-certificate (or a dummy), which is of course total nonsense.
Though, every site I tested (e.g. https://192.168.0.1:8443/) will respond. Sometimes (in production online) with a default apache page, others with the actual website (depending on their actual config).
Looking at the manual https://httpd.apache.org/docs/2.4/bind.html there seems no way to configure it.
My current demo config:
Listen 192.168.0.1:8443 https
Listen [fe80::1]:8443 https
<VirtualHost myhost.example.com:8443>
DocumentRoot "/www/myhost.example.com"
ServerName myhost.example.com
</VirtualHost>
If it is actually possible in another webserver or with some firewall-configuration or so, that would also be of great interest.