Centos – Set default TLS SNI vhost for Apache 2.2 on CentOS 6

apache-2.2centossnitls

I have a CentOS 6 server with Apache (httpd-2.2.15-15.el6.centos.x86_64). Now I configured TLS SNI using OpenSSL and that was pretty easy.

Now I have two TLS vhosts on the same ip and I want to specify which one should be the default it the client does not support TLS SNI (yes, I'm looking at you, git/hg).

Looking at the Apache docs there should be at least two ways to do this:

set for the default host (and *:443 for all others)
set "SSLStrictSNIVHostCheck on" for the non-default hosts.

Unfortunately neither method works for me. Can someone explain to me how to achieve the goal anyway and why the two methods above don't work as I expected?

Best Answer

1st enabled will be the default one so rename the config file of the default vhost to something like 00-config_file_name so it is the 1st loaded.

As you (rightfully) would like something documented:

From Apache docs: An In-Depth Discussion of Virtual Host Matching

Name-based vhost

If the entry corresponds to a name-based vhost the name list contains one or more vhost structures. This list contains the vhosts in the same order as the VirtualHost directives appear in the config file.

The first vhost on this list (the first vhost in the config file with the specified IP address) has the highest priority and catches any request to an unknown server name or a request without a Host: header field.

If the client provided a Host: header field the list is searched for a matching vhost and the first hit on a ServerName or ServerAlias is taken and the request is served from that vhost. A Host: header field can contain a port number, but Apache always matches against the real port to which the client sent the request.

So if you use only 1 config file for your vhosts, you need to order them in the file and if you include several separated files (including ../sites-enabled directory which is the way Apache2 sample site is defined) you need to load the files in the order you need to define the default site first and they are loaded according to the directory alphabetical order.

Always according to the same Apache doc (following examples link in the page), if you use _default_ vhost, it must be defined before other vhosts and that's exactly what you will be doing defining the vhost in the order you want but when using _default_ vhost, the main server will not respond anymore to requests.

Related Solutions

Apache – Client Denied by Server Configuration Despite Allowing Access

Change your authorization configuration:

<Directory /home/remix/>
    #...
    Order allow,deny
    Allow from all
</Directory>

...to the Apache 2.4 version of the same.

<Directory /home/remix/>
    #...
    Require all granted
</Directory>

Review the upgrading overview document for information on other changes you might need to make - and be aware that most of the config examples and assistance that you find out there on Google (as well as on this site) is referring to 2.2.

Apache – Disable SSLCompression to Defend Against CRIME/BEAST

On March 4, 2013, Red Hat provided updated OpenSSL packages which address this issue. You can receive them through your normal update channels.

The original answer was:

Red Hat has not provided an updated package which provides this functionality, though there is a workaround available. Edit the /etc/sysconfig/httpd file and add this line to it:

export OPENSSL_NO_DEFAULT_ZLIB=1

Then restart Apache:

service httpd restart

This will cause OpenSSL, which provides crypto functions for Apache, to not offer compression.

Best Answer

As you (rightfully) would like something documented:

Related Solutions

Apache – Client Denied by Server Configuration Despite Allowing Access

Apache – Disable SSLCompression to Defend Against CRIME/BEAST

Related Topic