• 12
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Set Apache2 to deny SSL connection to vhost without cert

Currently when a host is pointed to it that doesn't have a vhost entry, Apache will try to serve a certificate for the wrong host (which happens to be the first alphabetical). This is in spite of the fact that the ServerName in the vhost conf doesn't match.

If I try to create a default SSL vhost it will fail (apache2 exits) because it doesn't have a cert.

All the certs are LE and installed using certbot.

So my questions are:

  1. Why does Apache use that config even thought the ServerName is different?

  2. How can I set it to simply deny the connection instead of the above?

    • I don't know what you mean by 'create a default SSL vhost', but the default vhost -- which is (by definition) used for connections/requests that don't match any named vhost -- is the first one in the config file and thus already exists. It should not be the first in alpha order by ServerName unless your config is in alpha order by ServerName, which you might do intentionally, or might happen if you use the Debian scheme of individual files per vhost with links in sites-enabled/$hostname which are all Include'd in filename=hostname order.
      • 1
    • ... If clients are accessing your server with names you don't own (or don't even know) and can't get cert(s) for, I don't know of any really good solution. Although if only the leftmost label is unknown -- i.e. able.example.com baker.example.com etc. -- you could get a wildcard cert for *.example.com (supported by LE as of this year) and put it in a new first vhost (which becomes the default) and configure it to give an error response (or error page) for all requests.
    • Apache will not use the default vhost because it only listens on port 80, not 443. They are individual files per vhost, using sites-enabled, as certbot wants. They are not subdomains.

Trending Tags