(337) 205-2365  

 

Handling HTTPS Requests for Sites with no SSL on Shared Server

Handling HTTPS Requests for Sites with no SSL on Shared Server

Date: 08.03.1108.03.11 Comments: 0 comments

So I am not sure if I am alone here, but I have encountered this issue several times whenever I have set up a server hosting multiple sites running Apache. Some sites have SSL’s installed, others do not. Given the increasing shortage of IPv4 addresses, I usually use the default IP address for the server for the first site using an SSL, then get additional IP’s for each additional sites needing SSL’s on an as-needed basis..

The Problem

The problem appears whenever a request is made for a secured page (e.g. https://www.example.com/test) for a site which does not have an SSL installed. Most browsers these days will display a daunting security warning that will deter most users, but on the off chance the user DOES proceed (or if they are using an older browser, or have poor security settings, etc) then they will probably see a DIFFERENT website than the one they requested. This can create confusion and might seem unprofessional to some.

The Solution

Dedicated SSL’s are generally configued in the apache configuration mapping the IP and port 443 to a particular SSL location. So lets say we have www.example.com running on IP 111.111.111.111. Our configuration would look something like this:

<VirtualHost 111.111.111.111:443>
ServerName www.example.com
DocumentRoot "/usr/home/example.com/htdocs"
SSLEngine On
SSLCertificateFile /usr/home/example.com/ssl/www.example.com.crt
SSLCertificateKeyFile /usr/home/example.com/ssl/www.example.com.key
SSLCertificateChainFile /usr/home/example.com/ssl/NetworkSolutions_CA.crt
<VirtualHost>

The solution is quite simple. We will just add the following lines inside this VirtualHost directive:

RewriteEngine On
RewriteCond %{SERVER_NAME} !^www.example.com$
RewriteRule ^(.*)$ http://%{SERVER_NAME}$1 [R=permanent,L]

So our final directive will look like this:

<VirtualHost 111.111.111.111:443>
# If server name does not match name on cert, redirect to non-https url for that server name
RewriteEngine On
RewriteCond %{SERVER_NAME} !^www.example.com$
RewriteRule ^(.*)$ http://%{SERVER_NAME}$1 [R=permanent,L]
ServerName www.example.com
DocumentRoot "/usr/home/example.com/htdocs"
SSLEngine On
SSLCertificateFile /usr/home/example.com/ssl/www.example.com.crt
SSLCertificateKeyFile /usr/home/example.com/ssl/www.example.com.key
SSLCertificateChainFile /usr/home/example.com/ssl/NetworkSolutions_CA.crt
<VirtualHost>

Please Note…

This solution will not actually remove the security warning. This will still be displayed in the browser because, well, there really ISN’T a security cert for the site being requested. So some warning of some sort may be unavoidable. But at least they will never see a seemingly random site in place of the one their request. Hope this helps someone!

Top Arrow

Contact Us

Web site design, development and marketing company based in Lafayette, Louisiana. With over ten years of experience in a variety of Web technologies and applications, we are ready to take on any challenge with first class customer service and 100% commitment to your satisfaction!

Contact: Aaron Lozier
skype aaron.lozier
phone (337) 205-2365
fax (801) 348-2280
email [email protected]

Reach Me Online
(Contact Form/Live Chat)

From The Blog

Handling HTTPS Requests for Sites with no SSL on Shared Server

Date: 08.03.11Comments: 0 comments

So I am not sure if I am alone here, but I have encountered this issue several times whenever I have set up a server…

"WYSIWYG" Editors - You can't always get what you see...

Date: 05.08.10Comments: 0 comments

I have been thinking a lot lately about the various "WYSIWYG" editors on the market today, and how they can be a CMS developer's best…

Latest Tweets

The greater danger for most of us lies not in setting our aim too high and falling short; but in setting our aim too low, and achieving our mark.
~Michelangelo