Apache SSL SNI – Stop Default SSL Response on Shared IP Using SNI

Previously I asked a question here: Single domain SSL presented for all domains on Shared IP about setting up secure and non-secure domains on a single IP.

Opinions were mixed, but it appears SNI hold the solution. Unfortunately I cannot get it work as required.

https://domaina.com — Works as expected
https://domainb.com — Presents domaina.com certificate, not as expected. I would like it to not respond to SSL requests.

I would like my server to only send the certificate for domaina.com and no other host names, even if this means sending a 403 error to non-SNI clients. My current configuration on vanilla Ubuntu Server 12.04 LTS is below:

Ports.conf

…
<IfModule mod_ssl.c>
    NameVirtualHost *:443
    Listen 443
</IfModule>
…

Domain A Virtual Host

<VirtualHost *:80>
    ServerName   domaina.com
    ServerAlias  www.domaina.com
    DocumentRoot /var/www/domaina.com/public
    ErrorLog     /var/www/domaina.com/logs/error.log
    CustomLog    /var/www/domaina.com/logs/access.log combined
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName   domaina.com
    ServerAlias  www.domaina.com
    DocumentRoot /var/www/domaina.com/public
    SSLEngine on
    SSLCertificateFile      /etc/apache2/ssl/domaina.com.crt
    SSLCertificateKeyFile   /etc/apache2/ssl/domaina.key
    SSLCertificateChainFile /etc/apache2/ssl/domaina.com.ca-bundle
</VirtualHost>
</IfModule>

Domain B Virtual Host

<VirtualHost *:80>
    ServerName   domainb.com
    ServerAlias  www.domainb.com
    DocumentRoot /var/www/domainb.com/public
    ErrorLog     /var/www/domainb.com/logs/error.log
    CustomLog    /var/www/domainb.com/logs/access.log combined
</VirtualHost>

apache2ctl -S

VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server domaina.com (/etc/apache2/sites-enabled/domaina.com:12)
         port 443 namevhost domaina.com (/etc/apache2/sites-enabled/domaina.com:12)
*:80                   is a NameVirtualHost
         default server domaina.com (/etc/apache2/sites-enabled/domaina.com:3)
         port 80 namevhost domaina.com (/etc/apache2/sites-enabled/domaina.com:3)
         port 80 namevhost domainb.com (/etc/apache2/sites-enabled/domainb.com:1)
Syntax OK

How can you get rid of the defaults?

Best Answer

You literally cannot do what you are asking while keeping both domains on the same IP address.

As it is now, you have both domains (domaina.com and domainb.com) on the same IP address. Then you have opened port 80 for HTTP and port 443 for HTTPS. As you have noticed, the port is open for all domains on the server; it can't be closed for just one domain while remaining open for any other.

If you do not want SSL to be open at all for domainb.com, you will need to put domainb.com on a separate IP address.

Best Answer

Related Solutions

SSL – How to Make Both HTTP and HTTPS Work

Apache2 Permission denied: access to / denied

Related Topic