Topic: Blocking invalid subdomains before SSL certificate is served

[skynet]

Hi,

My Apache server config is as below.

Version: Apache/2.4.52
OS: Ubuntu (22.04)

I have many number of virtual hosts that are created and deleted automatically through a script with SSL certificates from lets-encrypt, I have a requirement where if invalid subdomains when requested should be blocked immediately terminating tcp connection and without serving default SSL certificate(main domain's SSL), is there any simple way to achieve this?.

I don't/cant have wildcard certificate for main domain for some reasons.

[skynet]

Hi,
Can anyone help on this?.

[James Blond]

Hello,
there is no way of blocking that. First, there is the TCP connection, then the SSL Handshake and the client sends the requested name. See RFC 3546 Section 2.3
Without SNI you need a single IP address for each vhost.


[1] https://datatracker.ietf.org/doc/html/rfc3546#section-2.3

[skynet]

Hi,
Thanks for the reply, any alternate simple solution, like WAF can block these?.
I am using pfsense firewall infront and using port forwarding to 80 and 443 to apache.

[James Blond]

You can. If you use the HAproxy package to connect to Apache you can drop the connections. See https://discourse.haproxy.org/t/deny-access-for-haproxy-vip-address/8781/3