[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: https vhosts

> Am 24.05.2018 um 13:43 schrieb Stefan Priebe - Profihost AG <s.priebe@xxxxxxxxxxxx>:
> Hi Stefan,
> as i've tried todo nearly the same some weeks ago i can tell you what i did.

:-) In the era of DGSVO, some sites simply wish to disappear silently...

> Comment inline.
> Am 24.05.2018 um 13:34 schrieb Stefan Eissing:
>> So, we are lacking an option here to abort SSL connections without a vhost match, it seems. Something like
>> SSLStrictSNIVHostCheck require-match
> No this will not solve the problem as you may have clients not
> supporting sni at all. I tried the same with SSLStrictSNIVHostCheck On
> Nowadays those clients see the wrong cert but still land in the correct
> vhost container so they "work".
> What i did is creating a vhost container which is loaded first in config
> order:
> 1.) Create a fake or general SSL cert (something like a white label cert)
> 2.) create the container:
> <VirtualHost $IP:443>
>  # Because this virtual host is defined first, it will
>  # be used as the default if the hostname is not received
>  # in the SSL handshake
>  ServerName unknown
>  DocumentRoot /usr/local/apache/htdocs/
>  Protocols h2 http/1.1
>  SSLCertificateFile ...
>  SSLCertificateKeyFile ...
>  SSLCertificateChainFile ...
>  SSLEngine on
>  ErrorLog /usr/local/apache/logs/htdocs-error.log
>  TransferLog /usr/local/apache/logs/htdocs-access.log
>  # Rewrite to correct hostname using http - vhost container does not
> have https
>  RewriteEngine On
>  RewriteRule (.*) http://%{HTTP_HOST}/$1 [R=301,L]
> </VirtualHost>

I thought about this. In case of a general hoster, redirecting to a business site which explains like "this domain is no longer hosted here, blabla", makes sense.

In my case, a site "disappeared" that is in no way affiliated with the other vhosts and I would like to avoid the impression that it is. Sure, people who know DNS and IP addresses, can easily find co-located sites, but that is another level.