Topic: Virtualhosts 443

[bartjoo]

Hello there,
i have a question about the virtualhost ssl in apache.

Everything works fine but:

I have 2 domains. 1 with SSL and one without.

The 2 domains both goes to te same ip address.

http://domain1.com
https://domain2.com

but when i go to httpS://domain1.com i got on the https://domain2.com page. I dont want this. I want a reaction : 'there is no https for this site' or a automatic redirect to the http version of domain1.

who can help met with this settings. Is it a settings in the default server options?

I allready tried to make a virtualhost 443 for domain1 and a redirect. But then i got a fault in the browser for both sites.

tnx in advance for help

[Anaksunaman]

Assuming you have the correct software and server setup to support Server Name Indication (http://en.wikipedia.org/wiki/Server_Name_Indication), the method you describe should not be an issue. The information I've included below is based off a working install of what your seem to be describing. The server this is config was taken from is a Win7/x64; Apache/2.4.6; OpenSSL 1.0.1e box.

To summarize, you should end up with three sites with this method:

http://domain1.com (no SSL)
https://domain2.com (SSL with unique key and certificate #1)
https://domain1.com (which redirects automagically back to http://domain1.com) - (SSL with unique key and certificate #2)

Prerequisites - Software:

* OS - Not Windows XP (SNI will not work on this OS, period; must be Vista or later for Windows.) MAC OS X 10.5.7+, Ubuntu 10+ and Fedora 10+ should be fine. Other Linux distros may need additional scrutiny for support (including RHEL 5.x/CentOS 5.x/Debian 5.x).
* Browser - I.E. 7+, Firefox 2.0+, Opera 8+ (2005 or later with TLS 1.1 enabled), Chrome 6+, Android (2.2+) and iOS support will vary.
* Server - Apache 2.2.12 or 2.4+ with mod_ssl; OpenSSL - 0.9.8f or later (which should have "TLS Extensions"; OpenSSL 0.9.8k and later has this enabled by default). Note Apache must have been built with that OpenSSL. If so, mod_ssl will automatically detect the availability of the TLS extensions and support SNI. Apache must use that OpenSSL at run-time.

(http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI)

Server Setup:
You need a server setup that supports multiple SSL sites on the same IP address before you think about redirection. Therefore:

1.) Generate/obtain certificates and key files for both SSL domains you will have - the default SSL domain setup in httpd-conf.ssl and the mirror SSL site you wish to redirect back to HTTP.
2.) Make sure the default SSL site is working correctly. This is important to test that your have a working SSL server at all.
3.) Make sure your SSL mirror is working correctly without redirection. Placing a simple text file in the root directory for this site should do.

The first (default) vhost for SSL name-based virtual hosts must include TLSv1 as a permitted protocol, otherwise Apache will not accept the SNI information from the client and it will be as if the client did not support SNI at all. This is what a basic working vhosts entry for this setup should look like: