Ssl – What apache VirtualHost configuration will serve one and only one domain over SSL

I have multiple domains (example1.com, example2.com, ...) hosted on the same IP. One of these domains (example3.com) has an SSL certificate and I want to serve it over HTTPS, while keeping all the other sites on HTTP. I have this set up and working correctly, so far.

My problem is that requests to https://www.example1.com (note the s) are getting handled by the apache configuration section for example3.com (which begins <VirtualHost *:443>), which causes problems as this is a Django site, and amongst other things it generates a 400 Bad Request due to example1.com not being in Django's ALLOWED_HOSTS setting.

I understand that the nature of SSL means that the Host: header is not known until after the secure connection is established. But is there a way of getting apache to reject any requests over HTTPS that are not for example3.com?

I had expected use of the ServerName directive within the SSL Virtualhost to restrict that section to just the named host, but upon closer inspection of the docs it seems that is only the case for name-based virtual hosts.

Edit: I have tried adding a catch-all default as the first section, like the following:

<VirtualHost *:443>
  ServerName default.only
  <Location />
    Require all denied
  </Location>
</VirtualHost>

This causes the following error:

[Thu Dec 04 10:31:27.922801 2014] [mpm_event:notice] [pid 10498:tid 3074255488] AH00491: caught SIGTERM, shutting down
[Thu Dec 04 10:31:29.928483 2014] [ssl:emerg] [pid 30518:tid 3074300544] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Thu Dec 04 10:31:29.928551 2014] [ssl:emerg] [pid 30518:tid 3074300544] AH02312: Fatal error initialising mod_ssl, exiting.

<VirtualHost _default_:443> DocumentRoot /var/www/html/example1.com ServerName example1.com SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5:!DSS SSLHonorCipherOrder on SSLCertificateFile /etc/pki/tls/certs/example1certificate.crt SSLCertificateKeyFile /etc/pki/tls/private/example1privatekey.key SSLCertificateChainFile /etc/pki/tls/certs/certificatechainfile.pem SSLCACertificateFile /etc/pki/tls/certs/certificateauthority.pem </VirtualHost>

Best Answer

The errors you have posted indicate that you haven't included relevant necessary SSL configuration for your domains; for any domains/subdomains you wish to be accessible via SSL, you will need to provide relevant information for the certificate, etc, in the VirtualHost configuration(s) for the domains in question, eg:

You will then need to create appropriate VirtualHost segments for the rest of your domains, but in these you will of course only configure the listen port to be 80, with no SSL configuration options, eg:

<VirtualHost _default_:80>
    DocumentRoot /var/www/html/example2.com
    ServerName example2.com
</VirtualHost>

Hope this helps!

PS, the above configurations for SSLCipherSuite and SSLProtocol are good - you can use them to save you time researching other possible configurations if you wish.

Best Answer

Related Solutions

Apache SSL – Site Not Using Correct IP on Ubuntu

Ssl – AH01896: Unable to determine list of acceptable CA certificates for client authentication in Apache v2.4 SSLCACertificatePath directive

Related Topic