logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Blocking invalid subdomains before SSL certificate is served
Author
skynet



Joined: 31 Oct 2023
Posts: 3

PostPosted: Tue 31 Oct '23 14:40    Post subject: Blocking invalid subdomains before SSL certificate is served Reply with quote

Hi,

My Apache server config is as below.

Version: Apache/2.4.52
OS: Ubuntu (22.04)

I have many number of virtual hosts that are created and deleted automatically through a script with SSL certificates from lets-encrypt, I have a requirement where if invalid subdomains when requested should be blocked immediately terminating tcp connection and without serving default SSL certificate(main domain's SSL), is there any simple way to achieve this?.

I don't/cant have wildcard certificate for main domain for some reasons.
Back to top
skynet



Joined: 31 Oct 2023
Posts: 3

PostPosted: Thu 02 Nov '23 9:05    Post subject: No solutions? bump? Reply with quote

Hi,
Can anyone help on this?.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7374
Location: Germany, Next to Hamburg

PostPosted: Thu 02 Nov '23 10:31    Post subject: Reply with quote

Hello,
there is no way of blocking that. First, there is the TCP connection, then the SSL Handshake and the client sends the requested name. See RFC 3546 Section 2.3
Without SNI you need a single IP address for each vhost.


[1] https://datatracker.ietf.org/doc/html/rfc3546#section-2.3
Back to top
skynet



Joined: 31 Oct 2023
Posts: 3

PostPosted: Thu 02 Nov '23 11:44    Post subject: Alternate options for blocking Reply with quote

Hi,
Thanks for the reply, any alternate simple solution, like WAF can block these?.
I am using pfsense firewall infront and using port forwarding to 80 and 443 to apache.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7374
Location: Germany, Next to Hamburg

PostPosted: Fri 10 Nov '23 14:00    Post subject: Reply with quote

You can. If you use the HAproxy package to connect to Apache you can drop the connections. See https://discourse.haproxy.org/t/deny-access-for-haproxy-vip-address/8781/3
Back to top


Reply to topic   Topic: Blocking invalid subdomains before SSL certificate is served View previous topic :: View next topic
Post new topic   Forum Index -> Apache