Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Apache 2.2: Reject https for http-only sites on server w/ 1 https site?

20 views
Skip to first unread message

David

unread,
Apr 17, 2013, 11:50:26 AM4/17/13
to
Hi,

I have a handful of sites (name virtual hosts) being served on the same
physical server (and IP address), using Apache 2.2.15. One of the sites also
has an https version (in fact, the http version of that site redirects
straight to the https version), but the other sites are http-only.

Unfortunately, if somebody inadvertently attempts to access any of the other
http-only sites using https, then the server will attempt to serve the
corresponding URI on the (sole) https site instead (and causing web browsers
to disable a security certificate warning page, for obvious reasons).

I have a feeling that I may be rather stuck in the catch-22 situation that the
server does not know which https site has actually been requested until it has
started to negotiate the secure connection, and therefore is returning the
certificate (and content) for the default https site regardless?

Is there any way that I can prevent https content from being (attempted to be)
served for the non-https sites?

Would Server Name Indication (SNI) (and 'empty' https sites for the http-only
sites, or something in the config for these virtual hosts to 'unlisten' on the
https port?)) help at all? Our Apache supports SNI, but there is still the
risk that a reasonable proportion of client browsers and OSes may not,
unfortunately.

Would I be able to set up SNI so that the single required https site can still
be served properly to non-SNI-aware clients? It's essential that the https
site works for as wide a range of users as possible (yes, another grumble at
old versions of IE and Windows..).

The webserver also serves another http *and* https site, but these are on a
different IP address, so I assume that is not particularly relevant to this
current problem.

Thanks for any advice,


David.

Eli the Bearded

unread,
Apr 17, 2013, 3:46:45 PM4/17/13
to
In comp.infosystems.www.servers.unix,
David <da...@55952163-3189045.bogus.domain.invalid> wrote:
> I have a feeling that I may be rather stuck in the catch-22 situation that
> the server does not know which https site has actually been requested until
> it has started to negotiate the secure connection, and therefore is
> returning the certificate (and content) for the default https site
> regardless?

Exactly. Whenever possible, use separate IP addresses for each HTTPS site
to avoid this possibility.

> Is there any way that I can prevent https content from being (attempted to
> be) served for the non-https sites?

No.

> Would Server Name Indication (SNI) (and 'empty' https sites for the
> http-only sites, or something in the config for these virtual hosts to
> 'unlisten' on the https port?)) help at all? Our Apache supports SNI, but
> there is still the risk that a reasonable proportion of client browsers and
> OSes may not, unfortunately.

SNI would help, probably help a lot, but it won't be perfect. I'd guess more
than 50% of the time, but less than 95%, of clients would benefit.

Elijah
------
has, so far, been able to use separate IP addresses for all his https needs

Paul Rubin

unread,
Apr 17, 2013, 10:49:00 PM4/17/13
to
David <da...@55952163-3189045.bogus.domain.invalid> writes:
> Would I be able to set up SNI so that the single required https site
> can still be served properly to non-SNI-aware clients?

I think this should work, but I haven't tried it.

> Thanks for any advice,

If it's that important to you to support old browsers and OS's, you can
probably afford another IP address for the purpose.

You can also get multi-domain certificates though it's possible that
really ancient browsers have problems with those.

David

unread,
May 8, 2013, 10:07:04 AM5/8/13
to
On 2013-04-17, Eli the Bearded <*@eli.users.panix.com> wrote:
> In comp.infosystems.www.servers.unix,
> David <da...@55952163-3189045.bogus.domain.invalid> wrote:
>> I have a feeling that I may be rather stuck in the catch-22 situation that
>> the server does not know which https site has actually been requested until
>> it has started to negotiate the secure connection, and therefore is
>> returning the certificate (and content) for the default https site
>> regardless?
>
> Exactly. Whenever possible, use separate IP addresses for each HTTPS site
> to avoid this possibility.
>
>> Is there any way that I can prevent https content from being (attempted to
>> be) served for the non-https sites?
>
> No.

Sorry for the belated reply:

Thanks, that's what I'd feared..

OK, we'll need to dig up a spare IP address for the https site, I guess.


[...]
> SNI would help, probably help a lot, but it won't be perfect. I'd guess more
> than 50% of the time, but less than 95%, of clients would benefit.

I'll hold off on SNI until Windows XP has gone away, or usage has at least
dropped to negligible levels..


Thanks,

David.

0 new messages