Stop default SSL response on Shared IP using SNI

apache-2.2 ssl sni

Previously I asked a question here: Single domain SSL presented for all domains on Shared IP about setting up secure and non-secure domains on a single IP.

Opinions were mixed, but it appears SNI hold the solution. Unfortunately I cannot get it work as required.

  • https://domaina.com — Works as expected
  • https://domainb.com — Presents domaina.com certificate, not as expected. I would like it to not respond to SSL requests.

I would like my server to only send the certificate for domaina.com and no other host names, even if this means sending a 403 error to non-SNI clients. My current configuration on vanilla Ubuntu Server 12.04 LTS is below:

Ports.conf

…
<IfModule mod_ssl.c>
    NameVirtualHost *:443
    Listen 443
</IfModule>
…

Domain A Virtual Host

<VirtualHost *:80>
    ServerName   domaina.com
    ServerAlias  www.domaina.com
    DocumentRoot /var/www/domaina.com/public
    ErrorLog     /var/www/domaina.com/logs/error.log
    CustomLog    /var/www/domaina.com/logs/access.log combined
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName   domaina.com
    ServerAlias  www.domaina.com
    DocumentRoot /var/www/domaina.com/public
    SSLEngine on
    SSLCertificateFile      /etc/apache2/ssl/domaina.com.crt
    SSLCertificateKeyFile   /etc/apache2/ssl/domaina.key
    SSLCertificateChainFile /etc/apache2/ssl/domaina.com.ca-bundle
</VirtualHost>
</IfModule>

Domain B Virtual Host

<VirtualHost *:80>
    ServerName   domainb.com
    ServerAlias  www.domainb.com
    DocumentRoot /var/www/domainb.com/public
    ErrorLog     /var/www/domainb.com/logs/error.log
    CustomLog    /var/www/domainb.com/logs/access.log combined
</VirtualHost>

apache2ctl -S

VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server domaina.com (/etc/apache2/sites-enabled/domaina.com:12)
         port 443 namevhost domaina.com (/etc/apache2/sites-enabled/domaina.com:12)
*:80                   is a NameVirtualHost
         default server domaina.com (/etc/apache2/sites-enabled/domaina.com:3)
         port 80 namevhost domaina.com (/etc/apache2/sites-enabled/domaina.com:3)
         port 80 namevhost domainb.com (/etc/apache2/sites-enabled/domainb.com:1)
Syntax OK

How can you get rid of the defaults?


You literally cannot do what you are asking while keeping both domains on the same IP address.

As it is now, you have both domains (domaina.com and domainb.com) on the same IP address. Then you have opened port 80 for HTTP and port 443 for HTTPS. As you have noticed, the port is open for all domains on the server; it can't be closed for just one domain while remaining open for any other.

If you do not want SSL to be open at all for domainb.com, you will need to put domainb.com on a separate IP address.

Related

Google Cloud frequently doesn't have enough resources
How do I find out what is using up all the space on my / partition?
SELinux preventing Apache from writing to a file
How to schedule server jobs more intelligently than with cron?
Multiple domains with SSL on same IP
How to resize the disk of a Fedora guest VM in VMWare ESXi
Choosing local versus public domain name for Active Directory [duplicate]
How do I differentiate "fake RAID" from real RAID?
What's needed for a complete backup system?
How to workaround the NTFS Move/Copy design flaw?
Where to place 'only' relative to prepositions?
A special use of "should"?