• 5
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

I have multiple SSL vhosts and non-SSL vhosts served from a single server. If one of the non-ssl vhosts is accessed using "https", the first SSL directive is used. Is there some setting to make it so that only vhosts with explicitly matching server names will can be used?

So, let's say I have www.a.com, www.b.com, and www.c.com.

Let's say I also have https://www.a.com and https://www.b.com.

If I go to https://www.c.com, it is the same as using the site https://www.a.com. This is undesired behavior. Is there something I could set so that no site would be used?

      • 1
    • The first defined virtual host for a given IP+port combination is default. As Lieko suggests below, you could create a default vhost that doesn't match your existing sites and implement custom behavior.

I don't believe so as Apache will just read the first 443 port that it sees and will present that to the user.

You could provide a blank directory with a .htaccess page inside that could catch what is coming in and redirect to the http version. You can do this using the following:

RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}

Don't forget to put the httpd.conf configurtion for the .htaccess directory at the beginning, before the first 443 entry.

  • 1
Reply Report

You must have a default vhost for SSL connections. But it doesn't have to contain any content, so you can create a new vhost for that purpose and use a self-signed certificate.

That default vhost must be configured to support a new enough SSL version to receive the SNI from the client [source: Apache Wiki]. It may be configured with SSLStrictSNIVHostCheck to disallow clients without SNI support.

As far as I can tell from those links, clients which do support SNI, but report a domain name for which you don't have an explicit matching vhost will always end up on the default vhost, which is why you might want one without content.

Neither approach is really good for a domain without HTTPS, since it won't give a good user experience. Instead I recommend that you either support HTTPS on all your domains (it is possible to get a certificate for free), or instead use different IP addresses for domains with and without HTTPS support.

  • 1
Reply Report
    • An additional risk of sharing one IP between HTTP and HTTPS sites is that if the default HTTPS vhost has HSTS enabled, one accidental HTTPS request for a hostname without a HTTPS vhost poisons that user's browser for the HTTP site.
    • @BillCole It is not an impossible scenario, but it does require a few more things to go wrong. The client shouldn't trust the HSTS header unless it was received over an SSL connection with a valid certificate. So if the client is well-behaved, then the scenario you describe can only happen if you acquire a valid certificate for a domain name which you intend to use as HTTP-only. If you do manage to configure a setup where this would happen, then using two separate IP addresses is not enough to make it reliable.

Use one IP address for virtual hosts which won't use SSL, and a separate IP address for virtual hosts which do use SSL. Ensure that your Listen and VirtualHost directives for SSL specify that IP address explicitly, rather than, e.g. *:443.

  • 0
Reply Report

Trending Tags