I currently have an Apache server that is serving content on two sites - call them site1.com and site2.com. I've got VirtualHost directives set up for each of them and they all work fine.
I also serve SSL content for site1.com, and this works fine too (ie user can navigate to https://site1.com
and see content). However, the issue comes if a user tried to navigate to https://site2.com
. Then (eg in Google Chrome) they see the following message:
You attempted to reach site2.com, but instead you actually reached a server identifying itself as site1.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of site2.com.
This is quite a scary warning, and I'd prefer the connection to fail with an "HTTPS connection refused", "SSL error" or something like that. (If they click through the warning, they are shown https://site1.com
's content, but with https://site2.com
in the address bar.) I believe this should be possible using SNI - but I'm not sure how to set it up so that the only SSL connections that are picked up are ones that are meant for site1.com.
Here is the skeleton VirtualHost directive for site1:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName site1.com
ServerAdmin webmaster@site1.com
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
</IfModule>
I have tried changing _default_:443
to site1.com:443
, but that stops all SSL connections to the server from returning content.
You need to have different certificates for site1.com and site2.com or have a certificate with both names in it. I don't see any certificate configuration at all in your posted configuration, so I assume that you have a global certificate which is only valid for site1.com.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.