Apache Responds with Wrong Certificate

nid

232

vid

232

type

blog

status

1

created

1214972225

changed

1214972225

comment

2

promote

1

sticky

0

revision_timestamp

1214972225

title

Apache Responds with Wrong Certificate

body

<p>I ran into a situation where a client was accessing a test site and ended up getting a certificate from another site on the same server. Here is the setup:<br /> <br /> All virtual hosts are on the same IP address as the SSL site is on so I have this in httpd.conf:<br /> <code><br /> Listen 192.168.1.1:80<br /> Listen 192.168.1.1:443<br /> NameVirtualHost 192.168.1.1:80<br /> </code></p> <p>The problem is this: Apache must create the SSL connection BEFORE the host header is received. When it receives a request on 192.168.1.1:443, it uses the cert attached to that virtual host BEFORE the web site is presented. So if you attempt to connect to a non-ssl site on HTTPS, apache sends you the cert for the SSL site and then serves up the web site of the non-ssl virtual host. At this point, the user gets a browser error! YUCK!<br /> <br /> The solution: mod_rewrite!<br /> In the virtual host configuration for the <strong>SSL</strong> site, put these rules:<br /> <code><br /> <Directory path/to/ssl.example.com><br /> # SERVER_HOST <> https://ssl.example.com<br /> RewriteCond %{HTTP_HOST} !^ssl\.example\.com$ [NC,OR]<br /> RewriteCond %{SERVER_PORT} !^443$<br /> RewriteRule ^.*$ https://ssl.example.com%{REQUEST_URI} [L,R]<br /> </Directory><br /> </code><br /> <br /> Explanation:<br /> The first RewriteCond checks the hostname in the header in the request.<br /> The second RewriteCond checks the port number of the request.<br /> The RewriteRule then sends the user's browser to the proper port with the proper hostname.<br /> <br /> Enjoy!</p>

teaser

I ran into a situation where a client was accessing a test site and ended up getting a certificate from another site on the same server. Here is the setup:

log

format

3

uid

1

name

davea

picture

data

a:6:{s:6:"submit";s:18:"Create new account";s:7:"form_id";s:13:"user_register";s:7:"contact";i:0;s:5:"block";a:1:{s:2:"og";a:1:{i:4;i:1;}}s:8:"og_email";s:1:"2";s:15:"googleanalytics";a:1:{s:6:"custom";i:0;}}

last_comment_timestamp

1214972225

last_comment_name

NULL

comment_count

0

taxonomy

Array
(
    [69] => stdClass Object
        (
            [tid] => 69
            [vid] => 63
            [name] => mod_rewrite
            [description] => 
            [weight] => 0
        )

    [68] => stdClass Object
        (
            [tid] => 68
            [vid] => 63
            [name] => security
            [description] => 
            [weight] => 0
        )

    [67] => stdClass Object
        (
            [tid] => 67
            [vid] => 63
            [name] => ssl
            [description] => 
            [weight] => 0
        )

)

files

Array
(
)

readmore

1

content

Array
(
    [body] => Array
        (
            [#value] => <p>I ran into a situation where a client was accessing a test site and ended up getting a certificate from another site on the same server. Here is the setup:<br />
<br />
All virtual hosts are on the same IP address as the SSL site is on so I have this in httpd.conf:<br />
<code><br />
Listen 192.168.1.1:80<br />
Listen 192.168.1.1:443<br />
NameVirtualHost 192.168.1.1:80<br />
</code></p>
<p>The problem is this: Apache must create the SSL connection BEFORE the host header is received. When it receives a request on 192.168.1.1:443, it uses the cert attached to that virtual host BEFORE the web site is presented. So if you attempt to connect to a non-ssl site on HTTPS, apache sends you the cert for the SSL site and then serves up the web site of the non-ssl virtual host. At this point, the user gets a browser error! YUCK!<br />
<br />
The solution: mod_rewrite!<br />
In the virtual host configuration for the <strong>SSL</strong> site, put these rules:<br />
<code><br />
  <Directory path/to/ssl.example.com><br />
  # SERVER_HOST <> https://ssl.example.com<br />
  RewriteCond %{HTTP_HOST} !^ssl\.example\.com$ [NC,OR]<br />
  RewriteCond %{SERVER_PORT}  !^443$<br />
  RewriteRule ^.*$ https://ssl.example.com%{REQUEST_URI} [L,R]<br />
  </Directory><br />
</code><br />
<br />
Explanation:<br />
The first RewriteCond checks the hostname in the header in the request.<br />
The second RewriteCond checks the port number of the request.<br />
The RewriteRule then sends the user's browser to the proper port with the proper hostname.<br />
<br />
Enjoy!</p>

            [#weight] => 0
        )

)