Ssl – How to disable catch-all on a ssl virtual host

My virtual host looks like following:

<VirtualHost example.com:443>
  SSLEngine on
  SSLCertificateFile /etc/apache2/ssl-keys/example/example.crt
  SSLCertificateKeyFile /etc/apache2/ssl-keys/example/example.key
  SSLCACertificateFile /etc/apache2/ssl-keys/example/COMODO_EV_SSL.ca-bundle.crt

  SSLProtocol -ALL -SSLv3 +TLSv1
  SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
  BrowserMatch ".*MSIE.*" \
     nokeepalive ssl-unclean-shutdown \
     downgrade-1.0 force-response-1.0

  CustomLog logs/ssl_request_log \
     "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  DocumentRoot /home/example/www/current/web
  ServerName example.com
  ServerAlias www.example.com
  <IfModule php5_module>
    php_value newrelic.appname "Example"
  </IfModule>
</VirtualHost>

If I go to https://example.com all is good, however for unknown for me reason if I go to any other domain that is pointing to the same server like https://anydomain.com then the vhost above is responding. Obviously browser says that the certificate does not match with a domain, but after ignoring it I can see the website from https://example.com under https://anydomain.com, even that under http://anydomain.com I have totally different website.

I do know that to be able to use https on http://anydomain.com I would need to set-up another certificate with another IP address – and that's not my problem.

I would like to achieve one of the following options:

https://anydomain.com should point to http://anydomain.com
https://anydomain.com returns 404 error

How do I achieve this?
Thank you in advance.

<VirtualHost _default_:443> SSLEngine on SSLCertificateFile /etc/apache2/ssl-keys/example/example.crt SSLCertificateKeyFile /etc/apache2/ssl-keys/example/example.key SSLCACertificateFile /etc/apache2/ssl-keys/example/COMODO_EV_SSL.ca-bundle.crt SSLProtocol -ALL -SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM Redirect 404 / </VirtualHost>

Best Answer

If you define only one vhost for your port, it will be treated by apache as a default vhost and served to any client that connects to it.

What you therefore need is to add another vhost, indicate it should be treated as the default one, and set it up so that it will 404 clients. You should use the same certificate as the one for example.com, because it will be used even for clients accessing https://example.com if they don't use SNI.

So that should look like this :

Note that if you are not concerned about clients without SNI (they tend to be few of those nowadays), you could very well have any number of https websites with different TLS certificates on the same ip. The limitation to virtual ssl hosting is due to the fact that non-SNI clients don't advertise to the SSL layer which vhost they wish to access before the certificate has to be offered.

Best Answer

Related Solutions

“Catch-All” access log with Apache Virtual Hosts

Apache Virtual Host – How to Set Up an Apache Default/Catch-All Virtual Host

Related Topic