David
2013-04-17 15:50:26 UTC
Hi,
I have a handful of sites (name virtual hosts) being served on the same
physical server (and IP address), using Apache 2.2.15. One of the sites also
has an https version (in fact, the http version of that site redirects
straight to the https version), but the other sites are http-only.
Unfortunately, if somebody inadvertently attempts to access any of the other
http-only sites using https, then the server will attempt to serve the
corresponding URI on the (sole) https site instead (and causing web browsers
to disable a security certificate warning page, for obvious reasons).
I have a feeling that I may be rather stuck in the catch-22 situation that the
server does not know which https site has actually been requested until it has
started to negotiate the secure connection, and therefore is returning the
certificate (and content) for the default https site regardless?
Is there any way that I can prevent https content from being (attempted to be)
served for the non-https sites?
Would Server Name Indication (SNI) (and 'empty' https sites for the http-only
sites, or something in the config for these virtual hosts to 'unlisten' on the
https port?)) help at all? Our Apache supports SNI, but there is still the
risk that a reasonable proportion of client browsers and OSes may not,
unfortunately.
Would I be able to set up SNI so that the single required https site can still
be served properly to non-SNI-aware clients? It's essential that the https
site works for as wide a range of users as possible (yes, another grumble at
old versions of IE and Windows..).
The webserver also serves another http *and* https site, but these are on a
different IP address, so I assume that is not particularly relevant to this
current problem.
Thanks for any advice,
David.
I have a handful of sites (name virtual hosts) being served on the same
physical server (and IP address), using Apache 2.2.15. One of the sites also
has an https version (in fact, the http version of that site redirects
straight to the https version), but the other sites are http-only.
Unfortunately, if somebody inadvertently attempts to access any of the other
http-only sites using https, then the server will attempt to serve the
corresponding URI on the (sole) https site instead (and causing web browsers
to disable a security certificate warning page, for obvious reasons).
I have a feeling that I may be rather stuck in the catch-22 situation that the
server does not know which https site has actually been requested until it has
started to negotiate the secure connection, and therefore is returning the
certificate (and content) for the default https site regardless?
Is there any way that I can prevent https content from being (attempted to be)
served for the non-https sites?
Would Server Name Indication (SNI) (and 'empty' https sites for the http-only
sites, or something in the config for these virtual hosts to 'unlisten' on the
https port?)) help at all? Our Apache supports SNI, but there is still the
risk that a reasonable proportion of client browsers and OSes may not,
unfortunately.
Would I be able to set up SNI so that the single required https site can still
be served properly to non-SNI-aware clients? It's essential that the https
site works for as wide a range of users as possible (yes, another grumble at
old versions of IE and Windows..).
The webserver also serves another http *and* https site, but these are on a
different IP address, so I assume that is not particularly relevant to this
current problem.
Thanks for any advice,
David.