logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: create error page for no-exist SSL virtual host in apache2
Author
peter.debnar



Joined: 19 Jan 2024
Posts: 4
Location: Ruzomberok

PostPosted: Fri 19 Jan '24 9:02    Post subject: create error page for no-exist SSL virtual host in apache2 Reply with quote

hello,

I have virtual host in apache2 (Ubuntu) on servers where are 15 virtual hosts (HTTP) and 3 virtual hosts HTTPS. if I make a request in the browser to an address that doesn't have an HTTPS virtual host in Apache2 (I don't even have a certificate), then I get the first HTTPS page from this server (first SSL virtual host with certificate), which is not good. i would like to get an apache error saying the https page does not exist in such a case. how and where should I set it?
loud listening

thank you form help,
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Sun 21 Jan '24 19:10    Post subject: Reply with quote

This can be done with some simple mod_rewrite logic in your default virtual host.

Basically, check if the host header matches the hostname of your first (required) SSL host certificate, and if not rewrite the request to a suitable error page hosted from your default site, e.g.
Code:

  RewriteEngine On
  RewriteOptions InheritBefore

  RewriteCond "%{HTTP_HOST}" "!=required.hostname.com" [NC,NV]
  RewriteRule ".*" "/error.html"

Enable mod_rewrite near the top of your configuration file, if not already in use.
Back to top
peter.debnar



Joined: 19 Jan 2024
Posts: 4
Location: Ruzomberok

PostPosted: Mon 22 Jan '24 8:33    Post subject: Reply with quote

yes, I know this method, but I need to have a certificate for it - so that I can subsequently do the redirection. but is there any way to do this without a certificate? I don't even want to make an SSL host for some sites, I just want to have e.g. displayed information that the page does not exist if someone enters HTTPS pages without a certificate into the browser
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Mon 22 Jan '24 21:45    Post subject: Reply with quote

For HTTPS connections Apache uses Server Name Indication (SNI) to determine which certificate to send back to the client, based on the host name in their TLS request and your available VHOSTS (and corresponding certificates). All modern browsers support the SNI TLS extension.

So by definition, if one of your clients requests a secure connection for one of your non-secure sites (one for which there is no corresponding secure VHOST), then they'll have already been sent the certificate from your default secure VHOST, and presumably accepted the mis-match challenge.

So on the basis that the client is now connected to your default secure VHOST, why can't your send them an appropriate custom error page, which includes a suitable redirect link for them to follow?

If you don't want to send the default secure VHOST certificate back to the client, for mis-matching site requests, then take a look at the SSLStrictSNIVHostCheck directive. However, this will cause the client TLS handshake to fail and they'll get a somewhat terse error message, which is probably not what you want.
Back to top
peter.debnar



Joined: 19 Jan 2024
Posts: 4
Location: Ruzomberok

PostPosted: Tue 30 Jan '24 10:57    Post subject: Reply with quote

but in the case of default SSL host, I must to create a certificate (some multisite?) for all addresses anyway. so if I have the sites site1.ku.sk, site2.ku.sk, site3.ku.sk ... and I have an SSL virtul host only for site1.ku.sk ... then the default SSL host must have a certificate ( multisite) for site2.ku.sk and site3.ku.sk? so do I still have to have a certificate for these 2 addresses?
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Tue 30 Jan '24 21:43    Post subject: Reply with quote

Exactly!
To get rid of error-messages within the client when connecting to your default-vhost with a hostname not available within the certificate the only way is using a certificate with SAN (subject alternate name) for all your hostnames.
As soon you have this certificate there is no need to redirect these requests from https to http anymore Very Happy
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Tue 30 Jan '24 22:00    Post subject: Reply with quote

@mraddi - you beat me to it!

@peter.debnar - I think you are making things more complicated than they need to be.

Firstly, unless you're prepared for TLS client requests to be challenged due to a domain mismatch, you will need to configure Apache with a certificate for each domain you're serving. This can be done with individual certificates, or as you suggest, with a multi-domain certificate using Server Alternative Name (SAN) entries.

If a certificate contains a SAN field, then TLS clients are supposed to ignore the Common Name (CN) value and seek a match to one of the domain entries in the SAN list (which should also contain the CN entry).

Whether you choose to have an Apache VHOST for each of the domains in your SAN list is entirely down to you, noting you can choose to add extra domains to a given VHOST (defined with a ServerName directive), by using the ServerAlias directive.

Any client request that doesn't match a ServerName or ServerAlias entry in your defined VHOSTS, will be passed to the default VHOST, where you can choose to handle it accordingly.

One of the key benefits of multi-domain certificates is the opportunity to configure multiple VHOSTS to use the same certificate.
Back to top
peter.debnar



Joined: 19 Jan 2024
Posts: 4
Location: Ruzomberok

PostPosted: Wed 31 Jan '24 8:05    Post subject: Reply with quote

thank you all, I understand (I also thought it was like this from the beginning, that there was no other option). the problem is that a colleague creates certificates for me, who doesn't want to create more certificates for me Very Happy ... so I was looking into whether there really is a way around it without a certificate. you understand Smile
thank you again, have a nice day
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Fri 16 Feb '24 23:45    Post subject: Reply with quote

peter.debnar wrote:
thank you all, I understand (I also thought it was like this from the beginning, that there was no other option). the problem is that a colleague creates certificates for me, who doesn't want to create more certificates for me Very Happy ... so I was looking into whether there really is a way around it without a certificate. you understand Smile
thank you again, have a nice day


use Let's encrypt. Free certificates.
Back to top


Reply to topic   Topic: create error page for no-exist SSL virtual host in apache2 View previous topic :: View next topic
Post new topic   Forum Index -> Apache