git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: https vhosts


Hi Stefan,

as i've tried todo nearly the same some weeks ago i can tell you what i did.

Comment inline.

Am 24.05.2018 um 13:34 schrieb Stefan Eissing:
> So, we are lacking an option here to abort SSL connections without a vhost match, it seems. Something like
> 
> SSLStrictSNIVHostCheck require-match

No this will not solve the problem as you may have clients not
supporting sni at all. I tried the same with SSLStrictSNIVHostCheck On

Nowadays those clients see the wrong cert but still land in the correct
vhost container so they "work".

What i did is creating a vhost container which is loaded first in config
order:
1.) Create a fake or general SSL cert (something like a white label cert)
2.) create the container:
<VirtualHost $IP:443>
  # Because this virtual host is defined first, it will
  # be used as the default if the hostname is not received
  # in the SSL handshake
  ServerName unknown
  DocumentRoot /usr/local/apache/htdocs/

  Protocols h2 http/1.1

  SSLCertificateFile ...
  SSLCertificateKeyFile ...
  SSLCertificateChainFile ...
  SSLEngine on

  ErrorLog /usr/local/apache/logs/htdocs-error.log
  TransferLog /usr/local/apache/logs/htdocs-access.log

  # Rewrite to correct hostname using http - vhost container does not
have https
  RewriteEngine On
  RewriteRule (.*) http://%{HTTP_HOST}/$1 [R=301,L]
</VirtualHost>

Greets,
Stefan