My virtual host looks like following:
<VirtualHost example.com:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl-keys/example/example.crt
SSLCertificateKeyFile /etc/apache2/ssl-keys/example/example.key
SSLCACertificateFile /etc/apache2/ssl-keys/example/COMODO_EV_SSL.ca-bundle.crt
SSLProtocol -ALL -SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
DocumentRoot /home/example/www/current/web
ServerName example.com
ServerAlias www.example.com
<IfModule php5_module>
php_value newrelic.appname "Example"
</IfModule>
</VirtualHost>
If I go to https://example.com all is good, however for unknown for me reason if I go to any other domain that is pointing to the same server like https://anydomain.com then the vhost above is responding. Obviously browser says that the certificate does not match with a domain, but after ignoring it I can see the website from https://example.com under https://anydomain.com, even that under http://anydomain.com I have totally different website.
I do know that to be able to use https on http://anydomain.com I would need to set-up another certificate with another IP address – and that's not my problem.
I would like to achieve one of the following options:
- https://anydomain.com should point to http://anydomain.com
- https://anydomain.com returns 404 error
How do I achieve this?
Thank you in advance.
Best Answer
If you define only one vhost for your port, it will be treated by apache as a default vhost and served to any client that connects to it.
What you therefore need is to add another vhost, indicate it should be treated as the default one, and set it up so that it will 404 clients. You should use the same certificate as the one for example.com, because it will be used even for clients accessing https://example.com if they don't use SNI.
So that should look like this :
Note that if you are not concerned about clients without SNI (they tend to be few of those nowadays), you could very well have any number of https websites with different TLS certificates on the same ip. The limitation to virtual ssl hosting is due to the fact that non-SNI clients don't advertise to the SSL layer which vhost they wish to access before the certificate has to be offered.