Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Multiple sites per Apache server with SSL showing wrong site with HTTPS

Tags:

https

ssl

apache

sni

I have a Debian server which is running a number of client sites. Most of these are not running SSL so accessing by HTTP is fine.

I have one customer with an SSL certificate and accessing their site via HTTPS is fine too.

The problem comes if you try to access one of the other sites with HTTPS you get directed to the other site that has the SSL certificate.

For instance, lets say we have the following sites on the server:

alpha.net
bravo.net
charlie.net (SSL)
delta.net

So as you can see, charlie is the only one with SSL, and irrespective of if you go to http charlie.net or https charlie.net, it works fine.

http to all the other sites is fine, but if you were to go to https alpha.net, it will initially come up with an Invalid Certificate error and let you continue but whilst it has alpha.net in the address bar, its actually showing the charlie.net site in the browser.

I have researched SNI and how if any other sites have SSL I'll need to put them all on specific IP addresses (something else I need to try to work out how to do as I have no idea) but I am not sure why this is happening or how I resolve it.

Has anyone else encountered this before and how did you get around it?

Many thanks,

Rob

like image 617
Rob Avatar asked Sep 28 '13 18:09

Rob

1 Answers

This does not have anything to do with SNI, as you currently only have one HTTPS server. What happens, as you've stated in your comment, is that the alpha.net domain resolves to your server's IP. Your Apache server is set up to listen for requests on port 443 on this IP, and to serve the contents of charlie.net to these requests. (And the certificate error means that the browser noticed the discrepancy between the certificate's alleged domain name and the domain name used for the request.)

Redirecting from HTTPS to HTTP is probably more trouble that it's worth, since you would need valid certificates for each domain, lest you present your users with another security warning. This would entail creating virtual hosts for alpha.net:443 and so on, on an SNI capable server (i.e., later versions of Apache 2.2+ with openssl), and adding a redirection like so:

RewriteEngine On 
RewriteCond %{HTTPS} on 
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}

Probably the easiest course for your problem is to use a different IP for charlie.net. With this setup, there would be no way for alpha.net (and so on) to display the contents of another site.

like image 114
louije Avatar answered Sep 28 '22 20:09

louije
Sign in to Comment

Related questions

RewriteRule creating 500 Internal Server Error
Apache - Init: Can't open server private key file
How to route in angular 4
org.apache.http.legacy doesn't work on API 28
Laravel undefined function openssl_encrypt()
How to disable all apache virtual hosts?
Disable Track and Trace in apache
Why isn't there a viable mod_ruby for Apache yet?
How can I find out where the httpd.conf file is located?
http://localhost:8080/ Access Error: 404 -- Not Found Cannot locate document: /
FPM with apache2 not working (Permission denied)
Laravel redirects to a route but then apache gives 404 error
XAMPP: Another web server is already running
How to install mod_pagespeed on apache with windows, and from where to download [closed]
How to restrict file upload size limit based on file type in .htaccess
Google SPDY - Has anyone used it on Apache?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!