I’m using Name based Virtual Hosts on ports 80 and 443. Some of the virtual hosts only support port 80. I don’t have, and won’t be getting certificates for these hostnames.
How can I configure apache to refuse a connection on port 443 to one of the host names?
supportsboth.example.com has a certificate, can listen on port 80 and port 443
httponly.example.org does not have a certificate, should be available via regular HTTP only.
The apache configuration has a virtualhost setting entry for
supportsboth.example.com on port 443 only.
Trying to connect to
httponly.example.com on port 443 makes Apache use the
supportsboth.example.com virtual host’s certificate and details.
This makes the browser report lots of certificate errors as the host names don’t match, and if the user decides to proceed anyway, it still ends up at the wrong site.
What I’d ideally like is a redirect to the HTTP site, but I imagine that would rely on having a valid certificate. My second preference is to simply refuse the connection.
Micheal’s answer below of putting the SSL capable names on a separate IP is not available to me as both the domains have already been configured to use the same IP and I’m not in a position to change them.
Use a different IP address for the hosts which should never answer on SSL, and ensure that Apache only listens on port 443 for the appropriate IP addresses.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.