2

I have an apache server with one ip address. (on a debian server).

I have several virtualhosts for http and one virtualhost for https

one vhost, redirect traffic to the https vhost and this works fine, something like this

<VirtualHost *:80> ServerName mymainsite.com ServerAlias www.mymainsite.com ServerAlias myothersite.org ServerAlias www.myothersite.org RewriteEngine on RewriteRule ^(.*)$ https://www.mymainsite.com$1 [L,R=301] (...)

I have another vhost for https, like this 

<VirtualHost *:443> ServerName www.mymainsite.com (...)

and this works fine, all non https is forwared to https, and that is super.. but then the problem.

some times people go to this url https://www.myothersite.org

and this is answered by the https vhost, and creates a "wrong certificate" error.

Question is: is there a way to prevent this, without using a 2nd ip address, or buying a multi url or wildcard SSL certificate?

edit: just remove some extra text

Improve this question
2
  • 1
    Your question actually has nothing to do with rewrites or redirects. What you're describing happens upon connecting. Just showing your two :443 vhosts would be sufficient. Commented Nov 17, 2014 at 10:43
  • I was hoping that we could fix this with a rewrite rule Commented Nov 18, 2014 at 1:44

1 Answer 1

Reset to default
2

You need to use SSL extension named Server Name Indication (SNI). This extension will allow server to determine for which named virtual host request was designated for, and patch it through accordingly.

Your apache is probably built with support for SNI but to check it simply setup two name virtual hosts on your IP, port 443 and try to start apache. If your apache does not support SNI error_log will show "You should not use name-based virtual hosts in conjunction with SSL!!" If SNI is built in, then the error log will show "[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)".

Also be aware that browsers need to support SNI as well in order to have this working. Good thing is all major browsers support is

  • Mozilla Firefox 2.0 or later
  • Opera 8.0 or later (with TLS 1.1 enabled)
  • Internet Explorer 7.0 or later (on Vista, not XP)
  • Google Chrome
  • Safari 3.2.1 on Mac OS X 10.5.6

So yes, in short you can have 2 or more different domains with their respective SSL certificates on same IP, just configure other SSL domains much like your first one. If your apache lacks support for SNI you will need to find another apache package or rebuild this one with support for SNI to get it working.

Improve this answer
2
  • thanks, I will certainly check this out and see if this is workable for me... but this might include buying one more SSL for the other URL.. but maybe that is ok. Commented Nov 17, 2014 at 10:45
  • 1
    yes you will definitely need one more SSL certificate Commented Nov 17, 2014 at 10:50

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.