(337) 205-2365

Handling HTTPS Requests for Sites with no SSL on Shared Server

08.03.11 0 comments

So I am not sure if I am alone here, but I have encountered this issue several times whenever I have set up a server hosting multiple sites running Apache. Some sites have SSL’s installed, others do not. Given the increasing shortage of IPv4 addresses, I usually use the default IP address for the server for the first site using an SSL, then get additional IP’s for each additional sites needing SSL’s on an as-needed basis..

The Problem

The problem appears whenever a request is made for a secured page (e.g. https://www.example.com/test) for a site which does not have an SSL installed. Most browsers these days will display a daunting security warning that will deter most users, but on the off chance the user DOES proceed (or if they are using an older browser, or have poor security settings, etc) then they will probably see a DIFFERENT website than the one they requested. This can create confusion and might seem unprofessional to some.

The Solution

Dedicated SSL’s are generally configued in the apache configuration mapping the IP and port 443 to a particular SSL location. So lets say we have www.example.com running on IP 111.111.111.111. Our configuration would look something like this:

<VirtualHost 111.111.111.111:443>
ServerName www.example.com
DocumentRoot "/usr/home/example.com/htdocs"
SSLEngine On
SSLCertificateFile /usr/home/example.com/ssl/www.example.com.crt
SSLCertificateKeyFile /usr/home/example.com/ssl/www.example.com.key
SSLCertificateChainFile /usr/home/example.com/ssl/NetworkSolutions_CA.crt
<VirtualHost>

The solution is quite simple. We will just add the following lines inside this VirtualHost directive:

RewriteEngine On
RewriteCond %{SERVER_NAME} !^www.example.com$
RewriteRule ^(.*)$ http://%{SERVER_NAME}$1 [R=permanent,L]

So our final directive will look like this:

<VirtualHost 111.111.111.111:443>
# If server name does not match name on cert, redirect to non-https url for that server name
RewriteEngine On
RewriteCond %{SERVER_NAME} !^www.example.com$
RewriteRule ^(.*)$ http://%{SERVER_NAME}$1 [R=permanent,L]
ServerName www.example.com
DocumentRoot "/usr/home/example.com/htdocs"
SSLEngine On
SSLCertificateFile /usr/home/example.com/ssl/www.example.com.crt
SSLCertificateKeyFile /usr/home/example.com/ssl/www.example.com.key
SSLCertificateChainFile /usr/home/example.com/ssl/NetworkSolutions_CA.crt
<VirtualHost>

Please Note…

This solution will not actually remove the security warning. This will still be displayed in the browser because, well, there really ISN’T a security cert for the site being requested. So some warning of some sort may be unavoidable. But at least they will never see a seemingly random site in place of the one their request. Hope this helps someone!

aaron's blog

Top

Contact Us

Web site design, development and marketing company based in Lafayette, Louisiana. With over ten years of experience in a variety of Web technologies and applications, we are ready to take on any challenge with first class customer service and 100% commitment to your satisfaction!

Contact: Aaron Lozier
skype aaron.lozier
phone (337) 205-2365
fax (801) 348-2280
email [email protected]

Reach Me Online
(Contact Form/Live Chat)

Latest Tweets

Products

Web Sites - New Web sites, Web site re-design

Mobile Sites - Fast loading, straight-to-the-point sites focused on Smart phone users

Custom Applications - Custom developed Web or mobile apps for innovators and entrepreneurs

Services

Maintenance - Tweaks, updates, bug fixes for existing Web sites or applications

Content Writing - At a loss for words? Let us help with our professional Web content writing service.

Design Services - We do pretty. Logo design, Web site layout design, banners or other custom graphic design services.

SEO/Local Search - Get FOUND by your customers through improved rankings in both global and local search engines.