Two domains (when SSL) on same directory
My apache2 configuration is problematic: I've two website on a server:
- domain1.tdl
- domain2.tdl
One of them (domain2.tdl) must be and is accessible on port 443 (with SSL). All domains must be and are accessible by port 80. But when we try to access to domain1.tdl on port 443 the domain2.tdl files are display. So, on port 443, domain2.tdl is accessible by domain1.tdl and domain2.tdl. I don't want it !
My configuration:
domain1.tdl:
<VirtualHost *:80>
DocumentRoot /home/sites/domain1.tdl/www
ServerName domain1.tdl
ServerAlias www.domain1.tdl
ServerAdmin [email protected]
RewriteEngine on
<Directory "/home/sites/domain1.tdl/www">
AllowOverride All
allow from all
Options -Indexes
</Directory>
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /home/sites/domain1.tdl/www
ServerName domain1.tdl
ServerAlias www.domain1.tdl
ServerAdmin [email protected]
RewriteEngine on
<Directory "/home/sites/domain1.tdl/www">
AllowOverride All
allow from all
Options -Indexes
</Directory>
domain2.tdl:
<VirtualHost *:80>
DocumentRoot "/home/sites/domain2.tdl/web"
ServerName domain2.tdl
ErrorLog /var/log/apache2/site/error_domain2.tdl.log
CustomLog /var/log/apache2/site/access_domain2.tdl.log combined
<Directory "/home/sites/domain2.tdl/web">
allow from all
Options -Indexes
</Directory>
ServerAlias www.domain2.tdl
</VirtualHost>
<VirtualHost domain2.tdl:443>
DocumentRoot "/home/sites/domain2.tdl/web"
ServerName domain2.tdl
ErrorLog /var/log/apache2/site/error_domain2.tdl.log
CustomLog /var/log/apache2/site/access_domain2.tdl.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/private/domain2.tdl/domain2.tdl.crt
SSLCertificateKeyFile /etc/ssl/private/domain2.tdl/domain2.tdl.key
SSLCACertificateFile /etc/ssl/private/domain2.tdl/GandiStandardSSLCA.pem
SSLVerifyClient None
<Directory "/home/sites/domain2.tdl/web">
allow from all
Options -Indexes
</Directory>
ServerAlias www.domain2.tdl
</VirtualHost>
Solution 1:
Explanation
When you're using NameVirtualHosts, Apache will use the host name given in the Host: header to determine which of your virtual hosts you're supposed to access. This has historically been problematic with SSL - since the entire session is encrypted, including the Host: header, Apache needs to decrypt the session before it can determine which virtual host to use. But the information needed to do the decryption is inside a VirtualHost section, creating a catch 22 - apache needs a VirtualHost but it can't know which one, so it will pick the first one it finds.
More recent implementations of SSL include SNI, which makes it possible to give the host name unencrypted. But in order for that to work, both the server and the client need to run fairly recent versions of SSL, and while you can control the server, often you can't control the client.
Solution
First, since you don't want domain1.tdl to be reachable through SSL, you can simply remove the VirtualHost:443 section for domain1. (This won't solve this current problem, but you shouldn't keep configuration around if you don't want to use it; at some point it will cause you problems!)
Second, you will need to create some way to check for the correct hostname after the SSL negotiation, and to only allow traffic to the correct hostname. The simplest way would be to use mod_rewrite and do a header check, and reject all traffic without the correct hostname. Here's an example:
RewriteEngine On # to turn rewriting on
RewriteCond %{HTTP_HOST} ^(www.)?domain2.tdl # If http_host doesn't match (www.)domain2.tdl
RewriteRule (.*) http://%{HTTP_HOST}/$1 # then redirect to http for the hostname that was used, keeping the path intact
If you would prefer to simply let them know that access isn't allowed, you can issue an error message:
RewriteEngine On # to turn rewriting on
RewriteCond %{HTTP_HOST} ^(www.)?domain2.tdl # If http_host doesn't match (www.)domain2.tdl
RewriteRule (.*) - [F] # then issue a "403 Forbidden" error page
These commands should be inside the VirtualHost directive for domain2.tdl:443.