Apache Multi-Site configuration with SSL - httpd-vhosts.conf , hosts table and .htaccess

Question

My setting is done and it works. Is it the correct way?

I have a Windows server and I installed XAMPP on it. Different domain would point to different IP address to the server. Also, every site runs https on this server. I go through a lot of tutorials and set up self-signed cert to each site. Then, I configed the server with below setting.

These config works but I am not sure is it secure enough. I afraid that I missed something important. I need the site to be reachable by below URL:

http://sitea.com (Will redirect to https://sitea.com )

http://www.sitea.com (Will also redirect to https://sitea.com )

https://sitea.com (This great)

https://www.sitea.com (Will force to use non-www version due to program needed- https://sitea.com )

My configuration is listed below. May I ask if it is good enough or if I missed something?

C:\\xampp\\apache\\conf\\extra\\httpd-vhosts.conf:

<VirtualHost 192.168.242.121:80>
    ServerName sitea.com
    ServerAlias www.sitea.com
    Redirect permanent / https://sitea.com/
</VirtualHost>

<VirtualHost 192.168.242.121:443>
    DocumentRoot "S:/websites/sitea/"
    ServerName sitea.com
   RewriteEngine On
   RewriteCond %{HTTP_HOST} ^(www\.)(.*) [NC]
   RewriteRule (.*) https://%2%{REQUEST_URI} [L,R=301]
   SSLEngine on
   SSLCertificateFile "ssl/sitea.com/server.crt"
   SSLCertificateKeyFile "ssl/sitea.com/server.key"
    AccessFileName .htaccess
    ErrorLog "S:/websites/sitea/logs/error.log"
    CustomLog "S:/websites/sitea/logs/access.log" common

    <Directory S:/websites/sitea/>  
       Options FollowSymLinks
        AllowOverride All
        Require all granted  
    </Directory>
</VirtualHost>

<VirtualHost 192.168.242.120:80>
    ServerName siteb.com
   ServerAlias www.siteb.com
    Redirect permanent / https://siteb.com/
</VirtualHost>

<VirtualHost 192.168.242.120:443>
    DocumentRoot "S:/websites/siteb/"
    ServerName siteb.com
   RewriteEngine On
   RewriteCond %{HTTP_HOST} ^(www\.)(.*) [NC]
  RewriteRule (.*) https://%2%{REQUEST_URI} [L,R=301]
   SSLEngine on
   SSLCertificateFile "ssl/siteb.com/server.crt"
   SSLCertificateKeyFile "ssl/siteb.com/server.key"
    AccessFileName .htaccess
    ErrorLog "S:/websites/siteb/logs/error.log"
    CustomLog "S:/websites/siteb/logs/access.log" common

    <Directory S:/websites/siteb/>  
       Options FollowSymLinks
        AllowOverride All
        Require all granted  
    </Directory>
</VirtualHost>

C:\\Windows\\System32\\drivers\\etc\\hosts:

192.168.242.121 sitea.com www.sitea.com
192.168.242.120 siteb.com www.siteb.com

sitea.com is a wordpress site and the .htaccess is here. The directory setting is correct.

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /sitea/siteacms/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /sitea/siteacms/index.php [L]
</IfModule>

# END WordPress

Thank you!

Answer 1

Enabling HTTPS on a website does not stop website vulnerabilities, it only secures data which is being transferred between the website server and client ie someone can not eaves drop on what the server and client are saying to each other. If a website has a vulnerability people will still be able to exploit it.

In your Apache configuration it looks like some of your apache configurations can be bypassed by accessing your website directly ie type it's IP address into a web browser. This would allow someone to bypass your mandated HTTPS for example. You should set up a redirect rule if you want to prevent against this.