Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: create error page for no-exist SSL virtual host in apache2 |
|
Author |
|
peter.debnar
Joined: 19 Jan 2024 Posts: 4 Location: Ruzomberok
|
Posted: Fri 19 Jan '24 9:02 Post subject: create error page for no-exist SSL virtual host in apache2 |
|
|
hello,
I have virtual host in apache2 (Ubuntu) on servers where are 15 virtual hosts (HTTP) and 3 virtual hosts HTTPS. if I make a request in the browser to an address that doesn't have an HTTPS virtual host in Apache2 (I don't even have a certificate), then I get the first HTTPS page from this server (first SSL virtual host with certificate), which is not good. i would like to get an apache error saying the https page does not exist in such a case. how and where should I set it?
loud listening
thank you form help, |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 348 Location: UK
|
Posted: Sun 21 Jan '24 19:10 Post subject: |
|
|
This can be done with some simple mod_rewrite logic in your default virtual host.
Basically, check if the host header matches the hostname of your first (required) SSL host certificate, and if not rewrite the request to a suitable error page hosted from your default site, e.g.
Code: |
RewriteEngine On
RewriteOptions InheritBefore
RewriteCond "%{HTTP_HOST}" "!=required.hostname.com" [NC,NV]
RewriteRule ".*" "/error.html"
|
Enable mod_rewrite near the top of your configuration file, if not already in use. |
|
Back to top |
|
peter.debnar
Joined: 19 Jan 2024 Posts: 4 Location: Ruzomberok
|
Posted: Mon 22 Jan '24 8:33 Post subject: |
|
|
yes, I know this method, but I need to have a certificate for it - so that I can subsequently do the redirection. but is there any way to do this without a certificate? I don't even want to make an SSL host for some sites, I just want to have e.g. displayed information that the page does not exist if someone enters HTTPS pages without a certificate into the browser |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 348 Location: UK
|
Posted: Mon 22 Jan '24 21:45 Post subject: |
|
|
For HTTPS connections Apache uses Server Name Indication (SNI) to determine which certificate to send back to the client, based on the host name in their TLS request and your available VHOSTS (and corresponding certificates). All modern browsers support the SNI TLS extension.
So by definition, if one of your clients requests a secure connection for one of your non-secure sites (one for which there is no corresponding secure VHOST), then they'll have already been sent the certificate from your default secure VHOST, and presumably accepted the mis-match challenge.
So on the basis that the client is now connected to your default secure VHOST, why can't your send them an appropriate custom error page, which includes a suitable redirect link for them to follow?
If you don't want to send the default secure VHOST certificate back to the client, for mis-matching site requests, then take a look at the SSLStrictSNIVHostCheck directive. However, this will cause the client TLS handshake to fail and they'll get a somewhat terse error message, which is probably not what you want. |
|
Back to top |
|
peter.debnar
Joined: 19 Jan 2024 Posts: 4 Location: Ruzomberok
|
Posted: Tue 30 Jan '24 10:57 Post subject: |
|
|
but in the case of default SSL host, I must to create a certificate (some multisite?) for all addresses anyway. so if I have the sites site1.ku.sk, site2.ku.sk, site3.ku.sk ... and I have an SSL virtul host only for site1.ku.sk ... then the default SSL host must have a certificate ( multisite) for site2.ku.sk and site3.ku.sk? so do I still have to have a certificate for these 2 addresses? |
|
Back to top |
|
mraddi
Joined: 27 Jun 2016 Posts: 152 Location: Schömberg, Baden-Württemberg, Germany
|
Posted: Tue 30 Jan '24 21:43 Post subject: |
|
|
Exactly!
To get rid of error-messages within the client when connecting to your default-vhost with a hostname not available within the certificate the only way is using a certificate with SAN (subject alternate name) for all your hostnames.
As soon you have this certificate there is no need to redirect these requests from https to http anymore |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 348 Location: UK
|
Posted: Tue 30 Jan '24 22:00 Post subject: |
|
|
@mraddi - you beat me to it!
@peter.debnar - I think you are making things more complicated than they need to be.
Firstly, unless you're prepared for TLS client requests to be challenged due to a domain mismatch, you will need to configure Apache with a certificate for each domain you're serving. This can be done with individual certificates, or as you suggest, with a multi-domain certificate using Server Alternative Name (SAN) entries.
If a certificate contains a SAN field, then TLS clients are supposed to ignore the Common Name (CN) value and seek a match to one of the domain entries in the SAN list (which should also contain the CN entry).
Whether you choose to have an Apache VHOST for each of the domains in your SAN list is entirely down to you, noting you can choose to add extra domains to a given VHOST (defined with a ServerName directive), by using the ServerAlias directive.
Any client request that doesn't match a ServerName or ServerAlias entry in your defined VHOSTS, will be passed to the default VHOST, where you can choose to handle it accordingly.
One of the key benefits of multi-domain certificates is the opportunity to configure multiple VHOSTS to use the same certificate. |
|
Back to top |
|
peter.debnar
Joined: 19 Jan 2024 Posts: 4 Location: Ruzomberok
|
Posted: Wed 31 Jan '24 8:05 Post subject: |
|
|
thank you all, I understand (I also thought it was like this from the beginning, that there was no other option). the problem is that a colleague creates certificates for me, who doesn't want to create more certificates for me ... so I was looking into whether there really is a way around it without a certificate. you understand
thank you again, have a nice day |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
Posted: Fri 16 Feb '24 23:45 Post subject: |
|
|
peter.debnar wrote: | thank you all, I understand (I also thought it was like this from the beginning, that there was no other option). the problem is that a colleague creates certificates for me, who doesn't want to create more certificates for me ... so I was looking into whether there really is a way around it without a certificate. you understand
thank you again, have a nice day |
use Let's encrypt. Free certificates. |
|
Back to top |
|
|
|
|
|
|