Handling HTTPS Requests for Sites with no SSL on Shared Server
08.03.11 
0 comments
So I am not sure if I am alone here, but I have encountered this issue several times whenever I have set up a server hosting multiple sites running Apache. Some sites have SSL’s installed, others do not. Given the increasing shortage of IPv4 addresses, I usually use the default IP address for the server for the first site using an SSL, then get additional IP’s for each additional sites needing SSL’s on an as-needed basis..
The Problem
The problem appears whenever a request is made for a secured page (e.g. https://www.example.com/test) for a site which does not have an SSL installed. Most browsers these days will display a daunting security warning that will deter most users, but on the off chance the user DOES proceed (or if they are using an older browser, or have poor security settings, etc) then they will probably see a DIFFERENT website than the one they requested. This can create confusion and might seem unprofessional to some.
The Solution
Dedicated SSL’s are generally configued in the apache configuration mapping the IP and port 443 to a particular SSL location. So lets say we have www.example.com running on IP 111.111.111.111. Our configuration would look something like this:
<VirtualHost 111.111.111.111:443> ServerName www.example.com DocumentRoot "/usr/home/example.com/htdocs" SSLEngine On SSLCertificateFile /usr/home/example.com/ssl/www.example.com.crt SSLCertificateKeyFile /usr/home/example.com/ssl/www.example.com.key SSLCertificateChainFile /usr/home/example.com/ssl/NetworkSolutions_CA.crt <VirtualHost>
The solution is quite simple. We will just add the following lines inside this VirtualHost directive:
RewriteEngine On
RewriteCond %{SERVER_NAME} !^www.example.com$
RewriteRule ^(.*)$ http://%{SERVER_NAME}$1 [R=permanent,L]
So our final directive will look like this:
<VirtualHost 111.111.111.111:443>
# If server name does not match name on cert, redirect to non-https url for that server name
RewriteEngine On
RewriteCond %{SERVER_NAME} !^www.example.com$
RewriteRule ^(.*)$ http://%{SERVER_NAME}$1 [R=permanent,L]
ServerName www.example.com
DocumentRoot "/usr/home/example.com/htdocs"
SSLEngine On
SSLCertificateFile /usr/home/example.com/ssl/www.example.com.crt
SSLCertificateKeyFile /usr/home/example.com/ssl/www.example.com.key
SSLCertificateChainFile /usr/home/example.com/ssl/NetworkSolutions_CA.crt
<VirtualHost>
Please Note…
This solution will not actually remove the security warning. This will still be displayed in the browser because, well, there really ISN’T a security cert for the site being requested. So some warning of some sort may be unavoidable. But at least they will never see a seemingly random site in place of the one their request. Hope this helps someone!
08.03.11
0 comments