Limit SSL to only one virtual host domain
In the past, I've used htaccess to forward a SSL request to other virtual hosts to the appropriate ssl domain. This required an edit to the htaccess for each virtual host. But, is there a better way?
I basically want to limit SSL request to the ssl.domain.com virtual host, and for SSL requests to other virtual hosts to fail.
Cheers,
Richard
7 Replies
When you make a TLS request, the server doesn't yet know which domain the client is after, because the request for the domain itself is encrypted. Like I said, I'm no expert, so I'm having a hard time explaining it, but it basically works like this:
User types
Browser finds out what
Browser connects to server at 1.2.3.4, port 80, request contents of
Server responds.
Now, an encrypted connection:
User types
Browser finds it's 1.2.3.4.
Browser connects to server at 1.2.3.4, port 443.
Browser requests an encrypted channel with server.
Server responds, all subsequent communication takes place on the encrypted channel.
Browser requests contents of ssl.domain.com.
Server responds.
See, since the encryption starts before the browser asks for a specific domain, the connection cannot be refused, by design.
The only way to achieve what you want, that I know of, is to add another IP and have the server listen to encrypted requests on that IP only.
Hope that makes sense.
edit: I went to WP to see if I could find an article that would explain the problem better, and I found there is a solution to the issue, it's called Server Name Indication
Thanks for your confirmation.
E.g., just don't define a virtual domain
And of course, if your SSL certificate is just for ssl.domain.com, then your client's are likely to get browser warnings anyway when trying to connect at
It's not the same as refusing the network connection entirely, but perhaps just as suitable for your purposes.
– David
– David
So, while you can have more than one vhost, you can have only one certificate.
In other words, even if you set up server to reject access on the basis of HTTP_HOST, it'll look like
User:
Browser: WARNING, certificate issued for sslenabled.example, do you want to continue?
User: Yes
Server: