How to prevent SSL connections for some Virtual Hosts in apache

Gary asked:

I’m using Name based Virtual Hosts on ports 80 and 443. Some of the virtual hosts only support port 80. I don’t have, and won’t be getting certificates for these hostnames.

How can I configure apache to refuse a connection on port 443 to one of the host names?

Eg:

supportsboth.example.com has a certificate, can listen on port 80 and port 443

httponly.example.org does not have a certificate, should be available via regular HTTP only.

The apache configuration has a virtualhost setting entry for supportsboth.example.com on port 443 only.

Trying to connect to httponly.example.com on port 443 makes Apache use the supportsboth.example.com virtual host’s certificate and details.

This makes the browser report lots of certificate errors as the host names don’t match, and if the user decides to proceed anyway, it still ends up at the wrong site.

What I’d ideally like is a redirect to the HTTP site, but I imagine that would rely on having a valid certificate. My second preference is to simply refuse the connection.

Micheal’s answer below of putting the SSL capable names on a separate IP is not available to me as both the domains have already been configured to use the same IP and I’m not in a position to change them.

My answer:


Use a different IP address for the hosts which should never answer on SSL, and ensure that Apache only listens on port 443 for the appropriate IP addresses.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.