Two domains (when SSL) on same directory

My apache2 configuration is problematic: I've two website on a server:

  • domain1.tdl
  • domain2.tdl

One of them (domain2.tdl) must be and is accessible on port 443 (with SSL). All domains must be and are accessible by port 80. But when we try to access to domain1.tdl on port 443 the domain2.tdl files are display. So, on port 443, domain2.tdl is accessible by domain1.tdl and domain2.tdl. I don't want it !

My configuration:

domain1.tdl:

<VirtualHost *:80>
  DocumentRoot /home/sites/domain1.tdl/www
  ServerName domain1.tdl
  ServerAlias www.domain1.tdl
  ServerAdmin [email protected]
  RewriteEngine on
  <Directory "/home/sites/domain1.tdl/www">
    AllowOverride All
    allow from all
    Options -Indexes
  </Directory>
</VirtualHost>

<VirtualHost *:443>
  DocumentRoot /home/sites/domain1.tdl/www
  ServerName domain1.tdl
  ServerAlias www.domain1.tdl
  ServerAdmin [email protected]
  RewriteEngine on
  <Directory "/home/sites/domain1.tdl/www">
    AllowOverride All
    allow from all
    Options -Indexes
</Directory>

domain2.tdl:

<VirtualHost *:80>
  DocumentRoot "/home/sites/domain2.tdl/web"
  ServerName domain2.tdl
  ErrorLog /var/log/apache2/site/error_domain2.tdl.log              
  CustomLog /var/log/apache2/site/access_domain2.tdl.log combined
  <Directory "/home/sites/domain2.tdl/web">
    allow from all
    Options -Indexes
  </Directory>
  ServerAlias www.domain2.tdl
</VirtualHost>

<VirtualHost domain2.tdl:443>
  DocumentRoot "/home/sites/domain2.tdl/web"
  ServerName domain2.tdl
  ErrorLog /var/log/apache2/site/error_domain2.tdl.log
  CustomLog /var/log/apache2/site/access_domain2.tdl.log combined

  SSLEngine on
  SSLCertificateFile /etc/ssl/private/domain2.tdl/domain2.tdl.crt
  SSLCertificateKeyFile /etc/ssl/private/domain2.tdl/domain2.tdl.key
  SSLCACertificateFile /etc/ssl/private/domain2.tdl/GandiStandardSSLCA.pem
  SSLVerifyClient None

  <Directory "/home/sites/domain2.tdl/web">
    allow from all
    Options -Indexes
  </Directory>
  ServerAlias www.domain2.tdl
</VirtualHost>

Solution 1:

Explanation

When you're using NameVirtualHosts, Apache will use the host name given in the Host: header to determine which of your virtual hosts you're supposed to access. This has historically been problematic with SSL - since the entire session is encrypted, including the Host: header, Apache needs to decrypt the session before it can determine which virtual host to use. But the information needed to do the decryption is inside a VirtualHost section, creating a catch 22 - apache needs a VirtualHost but it can't know which one, so it will pick the first one it finds.

More recent implementations of SSL include SNI, which makes it possible to give the host name unencrypted. But in order for that to work, both the server and the client need to run fairly recent versions of SSL, and while you can control the server, often you can't control the client.

Solution

First, since you don't want domain1.tdl to be reachable through SSL, you can simply remove the VirtualHost:443 section for domain1. (This won't solve this current problem, but you shouldn't keep configuration around if you don't want to use it; at some point it will cause you problems!)

Second, you will need to create some way to check for the correct hostname after the SSL negotiation, and to only allow traffic to the correct hostname. The simplest way would be to use mod_rewrite and do a header check, and reject all traffic without the correct hostname. Here's an example:

RewriteEngine On # to turn rewriting on

RewriteCond %{HTTP_HOST} ^(www.)?domain2.tdl   # If http_host doesn't match (www.)domain2.tdl
RewriteRule (.*) http://%{HTTP_HOST}/$1    # then redirect to http for the hostname that was used, keeping the path intact

If you would prefer to simply let them know that access isn't allowed, you can issue an error message:

RewriteEngine On # to turn rewriting on

RewriteCond %{HTTP_HOST} ^(www.)?domain2.tdl   # If http_host doesn't match (www.)domain2.tdl
RewriteRule (.*) - [F]                     # then issue a "403 Forbidden" error page

These commands should be inside the VirtualHost directive for domain2.tdl:443.