Is it possible to configure a catch-all (default) HTTPS Vhost on Apache 2.4? I currently have 4 domains, and an HTTP catch all but as soon as I try to add any sort of configuration my other vhosts break. Here is what my config looks like:
<VirtualHost _default_:80>
# Default catch-all virtual host.
Redirect permanent / https://example-prod.com
</VirtualHost>
<VirtualHost _default_:80>
ServerName example-prod.com
ServerName www.example-prod.com
Include conf/sites/example-prod.com.conf
</VirtualHost>
<VirtualHost _default_:80>
ServerName example-dev.com
Include conf/sites/example-dev.com.conf
</VirtualHost>
#
# This is the virtual host I'm missing and that I cannot get to work.
#
#<VirtualHost _default_:443>
# # Default catch-all virtual host.
# ServerAlias *
# SSLEngine on
# SSLCertificateFile "C:/prod/hosts.crt.pem"
# SSLCertificateKeyFile "C:/prod/hosts.key.pem"
# SSLCertificateChainFile "C:/prod/intermediate.crt.pem"
# Redirect permanent / https://example-prod.com
#</VirtualHost>
<VirtualHost _default_:443>
ServerName example-prod.com
ServerName www.example-prod.com
SSLEngine on
SSLCertificateFile "C:/prod/hosts.crt.pem"
SSLCertificateKeyFile "C:/prod/hosts.key.pem"
SSLCertificateChainFile "C:/prod/intermediate.crt.pem"
Include conf/sites/example-prod.com.conf
</VirtualHost>
<VirtualHost _default_:443>
ServerName example-dev.com
SSLEngine on
SSLCertificateFile "C:/dev/hosts.crt.pem"
SSLCertificateKeyFile "C:/dev/hosts.key.pem"
SSLCertificateChainFile "C:/dev/intermediate.crt.pem"
Include conf/sites/example-dev.com.conf
</VirtualHost>
My httpd.conf has no more DocumentRoot
– everything is in the vhost and includes. This is also a dedicated server and IP.
How can I get this resolved?
Best Answer
The problem was solved but there was some misunderstandings. There really is the requirement that HTTPS needs a matching certificate, but the problem caused by this is that the connection won't be trusted with hostname not matching certificates Common Name or listed in Subject Alternative Name:
The same mismatch stays even with the
RewriteRule
solution given in the other answer.If the "catch-all" hostnames are all sub-domains of
example.com
and you have a wildcard certificate for*.example.com
, it will match.On the other hand most people, when trying to access
something.example.com
, types it to browser address bar without thehttp://
orhttps://
prefix, and browsers defaults to HTTP. Therefore having a "catch-all" redirect on HTTPS even with mismatching certificate won't usually cause any actual problems: only a few people ever sees theSSL_ERROR_BAD_CERT_DOMAIN
error.The Virtual Host Matching works the same way with or without TLS.
If you don't have SNI:
Without SNI the certificate from the first
VirtualHost
is used for handshake:The main problem with your original try was having
ServerAlias *
and not having anyServerName
. For a "catch-all" host it would have worked with anything but the otherServerName
s from otherVirtualHost
s. If no another match, Apache falls back to the defaultVirtualHost
section; whichever is the first section (that matches IP based lookup, when name-based lookup fails).There must be SOME
ServerName
because:This would result in configuration like this:
Please notice the other things I have changed:
dev.example.com
uses the same certificate as it would do so anyway without SNI.Use
<VirtualHost *:443>
instead of_default_:443
as_default_
has a special purpose:(This also means could use
_default_:443
in your "catch-all", not in the others. You can try!)Domain is replaced with Reserved Example Domain Names.
I'd prefer having
www.example.com
as a part of the "catch-all" (rather than as an alias) in order to have only one canonical address for your site. Therefore I have moved it there.If you had SNI, the processing mimics the same behavior but is a bit different in details:
With SNI you can have the additional certificate for
dev.example.com
.If all the prerequisites for SNI are met, it should work automatically and
error.log
would show[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
.