Sunday, February 26, 2017

virtualhost - Apache SSL virtual host using SNI ignores ServerName



I would like to serve SNI-enabled clients that send the wrong host name a 400 Bad Request, but Apache always serves the default virtual host in this situation. I cannot add a default virtual host that sends the 400 Bad Request status, because SNI-disabled clients will always get this virtual host.



It seems that the ServerName virtual host directive is ignored for SNI-disabled clients when I enable name based virtual hosts on an SNI-enabled Apache installation.



See the following virtual host configuration:




NameVirtualHost 192.168.4.46:443

ServerName 192.168.4.46
DocumentRoot /var/www/error-page/

SSLEngine on
SSLCertificateFile /path/to/certificate.crt
SSLCertificateKeyFile /path/to/certificate.key



ServerName test-ssl
DocumentRoot /var/www/valid-website/

SSLEngine on
SSLCertificateFile /path/to/certificate.crt
SSLCertificateKeyFile /path/to/certificate.key



If I use an SNI-disabled client, I would get the error page regardless of the Host: header I send in the request. Because I use the same certificate in both virtual hosts, I would like SNI-disabled clients to be able to still reach the second virtual host based on a match with ServerName.




If I'd switch the position of the virtual hosts, the website would be the default virtual host and then SNI-enabled clients would get the website instead of the error if they supply a wrong Host: in the headers.



So basically, how do I get Apache to serve an error for every wrong Host: header regardless of SNI support, while still serving the website when using an SNI-disabled client and serving the right virtual host when using an SNI-enabled client?


Answer



Shortest answer I believe will be:



MOD_REWRITE



Set a cond to inspect the host header; If it is not correct, forward the request off to the error page.




Your non-error site will be the default and the rewrite-rule will live in this virtual host.






If there do turn out to be 'shorter/easier' options, I suspect this option will provide clear logic into how requests should be processed. This solution assumes that you want ALL requests regardless of SNI status to provide a matching host header for a given virtual host.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...