0

I would like to serve SNI-enabled clients that send the wrong host name a 400 Bad Request, but Apache always serves the default virtual host in this situation. I cannot add a default virtual host that sends the 400 Bad Request status, because SNI-disabled clients will always get this virtual host.

It seems that the ServerName virtual host directive is ignored for SNI-disabled clients when I enable name based virtual hosts on an SNI-enabled Apache installation.

See the following virtual host configuration:

NameVirtualHost 192.168.4.46:443 <VirtualHost 192.168.4.46:443> ServerName 192.168.4.46 DocumentRoot /var/www/error-page/ SSLEngine on SSLCertificateFile /path/to/certificate.crt SSLCertificateKeyFile /path/to/certificate.key </VirtualHost> <VirtualHost 192.168.4.46:443> ServerName test-ssl DocumentRoot /var/www/valid-website/ SSLEngine on SSLCertificateFile /path/to/certificate.crt SSLCertificateKeyFile /path/to/certificate.key </VirtualHost>

If I use an SNI-disabled client, I would get the error page regardless of the Host: header I send in the request. Because I use the same certificate in both virtual hosts, I would like SNI-disabled clients to be able to still reach the second virtual host based on a match with ServerName.

If I'd switch the position of the virtual hosts, the website would be the default virtual host and then SNI-enabled clients would get the website instead of the error if they supply a wrong Host: in the headers.

So basically, how do I get Apache to serve an error for every wrong Host: header regardless of SNI support, while still serving the website when using an SNI-disabled client and serving the right virtual host when using an SNI-enabled client?

Improve this question
2
  • The Host header sent by an SNI-disabled client should still be respected, which I've found to be the case in my testing - the default virtual host just selects what certificate is sent to SNI-disabled clients. Are you saying you're seeing it being served the wrong vhost in your testing, or are you just theorizing that it would be wrong? Commented Feb 25, 2014 at 17:17
  • 1
    It seems you're correct - requests sent by SNI-disabled clients still get the right virtual host served matched by the Host header. I think my tests were flawed. Commented Feb 26, 2014 at 10:27

2 Answers 2

Reset to default
0

Shortest answer I believe will be:

MOD_REWRITE

Set a cond to inspect the host header; If it is not correct, forward the request off to the error page.

Your non-error site will be the default and the rewrite-rule will live in this virtual host.

If there do turn out to be 'shorter/easier' options, I suspect this option will provide clear logic into how requests should be processed. This solution assumes that you want ALL requests regardless of SNI status to provide a matching host header for a given virtual host.

Improve this answer
1
  • This is perfect if you want the default virtual host to enforce the server name. However, my original question was flawed, as SNI-disabled clients do in fact honor the Host header. Commented Feb 26, 2014 at 10:28
0

Remove the ServerName in the virtualHost you want to use in error mode. It should works

Improve this answer
1
  • 1
    This will make Apache perform a reverse lookup on the IP address and use the result as the server name, so how will that help? Commented Feb 26, 2014 at 10:57

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.