How to stop HTTPS requests for non-ssl-enabled virtual hosts from going to the first ssl-enabled virtualhost (Apache-SNI)

Jeff asked:

I hope that title is clear.

How do I prevent HTTPS requests for non-ssl-enabled virtual hosts from going to the first ssl-enabled virtualhost (setup is Apache-SNI).

For example, using my abbreviated config below, requests for https://example.com (a non-ssl vhost) are being served by Apache at the ssl-enabled vhost https://example.org. I’d like to disable that behavior and possibly reply with the appropriate HTTP response code (unsure of what that is).

It may not even be possible, but I thought I’d ask.

# I actually have a SNI setup, but it's not demonstrated here.
# I don't think it's relevant in this situation.

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
    ServerName example.org
</VirtualHost>

<VirtualHost *:443>
    ServerName example.org
</VirtualHost>

<VirtualHost *:80>
    ServerName example.com
</VirtualHost>

EDIT: Maybe a mod_rewrite rule in the first ssl-vhost?

My answer:


As the Apache docs say, when no ServerName matches the hostname give in the web request, the first VirtualHost matching the given IP/port combination will be used.

Thus, you merely need to give a default virtual host that serves no content, or content of your choosing, and it must be the first one parsed by Apache when it loads its configuration.

If you don’t want specific hosts to be accessible via https at all, place them on a separate IP address, on which you have configured Apache not to Listen on port 443.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.