Topic: Apache reverse proxy default site

[dwwwc]

Hi,

I've got an Apache reverse proxy running on Ubuntu Server 16.04 in combination with Let's Encrypt certbot. The proxy itself is configured with vhosts and pointing to some test servers which reside on my lan. Outside dns for the testservers is pointing to the proxy and the testservers are named something like this: sub1.domain.tld, sub2.domain.tld . The proxy itself doesn't have a domain.tld assigned, only an internal server name.

My reverse proxy is exposed to the internet on port 80 and 443 which is ok. When someone, like for example a hacker who just did a portscan, enters http://publicip of the proxy in a browser, the default 000-default site gets presented, which is expected and fine (I created an empty index.html). When the same hacker enters https://publicip of the proxy in a browser, Apache loads the certificate of the first correct vhost and presents that to the browser/end user (probably because it doesn't have a certificate itself). This obviously gives a certificate error to the end user since the certificate wasn't handed out for an ip but a domain. I have two problems with
Apache presenting that certificate: 1. it's messy and 2. the hacker is able to see the servername of the first correct vhost by checking the presented certificate info (even when the vhost is walled off with a location ip directive).

My question is pretty simple: how can I prevent someone with malicious intents from accessing https://publicip ?
I tried disabling the default sites with a2dissite default-ssl.conf but this gives the following behaviour:
enabled: index.html of /var/www/index.html gets loaded which is good but unwanted certificate behaviour still occurs.
disabled: index.html of the first correct vhost gets loaded and unwanted certificate behaviour also occurs.
I tried doing

[James Blond]

You can't prevent that. The SSL connection and the cert is done before the connection to the vhost. Accessing by the IP can only result in a wrng cert.