I have a Debian server which is running a number of client sites. Most of these are not running SSL so accessing by HTTP is fine.
I have one customer with an SSL certificate and accessing their site via HTTPS is fine too.
The problem comes if you try to access one of the other sites with HTTPS you get directed to the other site that has the SSL certificate.
For instance, lets say we have the following sites on the server:
alpha.net
bravo.net
charlie.net (SSL)
delta.net
So as you can see, charlie is the only one with SSL, and irrespective of if you go to http charlie.net or https charlie.net, it works fine.
http to all the other sites is fine, but if you were to go to https alpha.net, it will initially come up with an Invalid Certificate error and let you continue but whilst it has alpha.net in the address bar, its actually showing the charlie.net site in the browser.
I have researched SNI and how if any other sites have SSL I'll need to put them all on specific IP addresses (something else I need to try to work out how to do as I have no idea) but I am not sure why this is happening or how I resolve it.
Has anyone else encountered this before and how did you get around it?
Many thanks,
Rob
This does not have anything to do with SNI, as you currently only have one HTTPS server. What happens, as you've stated in your comment, is that the alpha.net domain resolves to your server's IP. Your Apache server is set up to listen for requests on port 443 on this IP, and to serve the contents of charlie.net to these requests. (And the certificate error means that the browser noticed the discrepancy between the certificate's alleged domain name and the domain name used for the request.)
Redirecting from HTTPS to HTTP is probably more trouble that it's worth, since you would need valid certificates for each domain, lest you present your users with another security warning. This would entail creating virtual hosts for alpha.net:443 and so on, on an SNI capable server (i.e., later versions of Apache 2.2+ with openssl), and adding a redirection like so:
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
Probably the easiest course for your problem is to use a different IP for charlie.net. With this setup, there would be no way for alpha.net (and so on) to display the contents of another site.
If you have multiple IPs on your server, use a unique one for the SSL site, all non-SSL sites share another IP.
Since SSL doesn't care what is the domain you are visiting, it only cares if the current domain is approved from the list of domains(Common Name) it gets from the Ip address.
Related
I have two domains with GoDaddy: foo.com and bar.com
I want to redirect foo.com to bar.com/foo
I tried setting up Domain Forwarding from within the GoDaddy Dashboard and it did work, but not for HTTPS (which is the URL indexed within Google).
I checked with GoDaddy Support and received this response:
That will not work because your domain does not have an SSL Certificate active and there is no way to activate an SSL Certificate on it with a forward.
Maybe I'm overthinking this, but here's an alternative approach I had in mind:
Set the A record of foo.com to the same IP address that bar.com is using
Within the website code of bar.com, check the $_SERVER['SERVER_NAME'] and redirect appropriately
By using plain DNS this is not possible, the reason for this is that DNS is a protocol different than HTTP.
Some providers offer "forwarding" options but behind the scenes, they point your domain to an HTTP server the one later does the redirect.
For example, using CloudFlare this could be very easy to achieve, you need to setup up only one domain, let's say foo.com and then just create a page rule to redirect traffic to bar.com/foo, the rule could be something like:
*foo.com*
More info about the page rules can be found here: https://support.cloudflare.com/hc/en-us/articles/200168306-Is-there-a-tutorial-for-Page-Rules-
there a way to redirect or downgrade a https request
lets say i have example.com
if some one calls it with http:// example.com all fine
if some one calls it with httpS:// example.com all fine
now if some one try to reach it httpS:// 100.200.100.200 (eg. over its ip address)
he will get a Your connection is not private as i dont have a certificate for 100.200.100.200 or just a self signed
is there a way to redirect or downgrade the connection to http only
to be able to show some message to the client whit out the need for him to
interact with the Your connection is n... message ?
or is it prohibited for security reasons
and a browser either gets what https side he requests or nothing at all
You can get a valid certificate for an IP but it's really not common (see Is it possible to have SSL certificate for IP address, not domain name? )
Anyway, nobody will visits your website by the IP, so no need to worry about it
The certificate for example.com tells you that you really are communicating with them (and, because you know you want to visits example.com, it's fine) but the certificate for 100.200.100.200 tells you that you really are communicating with 100.200.100.200, but you can't be sure it's the same person as example.com, you have to be sure you get the right IP. DNS is probably more reliable...
I have a strange problem which I can't identify the cause of.
There are two servers which host two different sites. Both sites are PHP-based apps.
Server 1 (Ubuntu)
https://app.site1.com
Server has SSL enabled for this site. This site works fine.
Server 2 (Red Hat)
http://app.site2.com
Server does not have SSL enabled for this site.
Here's what happens:
If I access site 2 on http:// it works fine.
If I access site 2 on https:// it redirects to site 1 on the other server.
Now obviously there is something telling this subdomain to go to the other site when served via SSL.
What I have checked:
All virtual hosts on both servers
All DNS records on both servers
All Site 2 website code
Site 2 .htaccess files
Using uncached browsers
There is NOTHING on either of the servers, that I can find, telling site 2 to redirect to site 1, only on HTTPS. Now obviously I don't expect anybody to find the problem directly because you can't see my entire server configuration, but I am looking for suggestions as to where else this redirect could come from.
I could understand this if you had site1 and site2 hosted on the same server.
Basically if you have no config set up for a second vhost on https (port 443) then Apache will fall back to first vhost by default.
So if both sites were in same Apache config then that might be it. But you say they are not. Are you sure you are not serving both sites from the same server (perhaps with a copy in the other server)? Are the IP addresses the same? Are there any load balancers or CDN infrastructure in front of both servers?
Also you say "If I access site 2 on https:// it redirects to site 1 on the other server." Can you explain more about what happens here? If you go to site 2 and do not have https set up then how can this even respond to this request? What certificate is being presented to that initial request (i.e. before the redirect)? Is it the site1 certificate? And if so then do you get a certificate error in the browser (since its presenting the wrong certificate for the site you requested) that you have to click through before you get redirected? Or is the cert valid for both sites?
You can also use this openssl command to see what the server returns (and in particular which certificate it returns):
openssl s_client -connect app.site2.com:443
It would also be handy to look at the browsers developer tools and see how exactly the redirect is happening. In Chrome press F12, go to Network tab, click on preserve log and then go to https://app.site2.com/. What is the first request? Is it a 301 or 302 (i.e. Server side redirect)? Or if it's a 200 followed by the https://app.site1.com/ then some piece of JavaScript must have caused the redirect.
Once you have answered those questions it may be possible to provide further guidance.
I am trying to host 2 sites on a single IP address and they need to be accessed via SSL however the majority of my users use Internet Explorer on Windows XP meaning using multiple SSLs with SNI may prevent them getting access.
I was wondering if I could use a multiple virtual hosts but still use a single SSL certificate and avoid SNI ?
Alternatively how feasible is it for me to install two Apache webserver instances, each its own DocumentRoot and own SSL certificate and for me to simply use the first Apache webserver as an entry point to entertain some requests and to redirect others to the other SSLed Apache instance ?
Could I potentially use the Windows Host file (Windows 2008 Server) to redirect incoming requests to the intended Apache Server instead of using VirtualHosts ?
Apologies if I have confused concepts.
You can try to purchase an X.509 certificate with two domains in it. I don't know what particular CAs do this, but I also don't see why they would refuse. You need to ask their support, though.
Your idea to redirect some requests to another server residing on a different port sounds good as well, though you will have to use two different certificates for different domain names, of course.
Finally if your second domain can be something like additional.mydomain.com , you have greater chance to buy a certificate issued for mydomain.com + www.mydomain.com + additional.mydomain.com (this can be a wildcard certificate or a certificate with additional subdomain names).
I have an apache server with multiple named hosts all working fine for port 80 http traffic.
(A VPS with one unique IP address)
I have one domain that has a SSL certificate and that domain is configured to handle both http and https traffic.
However if someone accidentally adds https to the beginning of a none SSL configured URL I get a typical certificate warning error (expected) and then if the user accepts the error (depending on the browser) it displays the SSL site I have configured instead of the original non-ssl domain.
I've read up a bit about SNI, but I don't have certificates for each of the other domains and would rather the server either not respond to the SSL request on anything else but one specific domain or redirect to the http version of the site.
Suggestions please as to how I approach this.
Kind regards, Spencer
For security reasons, what you're trying to achieve cannot work.
The browser (which implements the mechanisms to check the certificate) cannot know whether the user typed https:// instead of http:// accidentally or intentionally. Since it's ultimately up to the users to check that https:// is used when they think it's required, browsers should simply perform the actions requested by the users.
A redirection from https:// to http:// should always start with a valid https:// connection. SNI won't help you much there if you can't have valid certificates for the initial connection.
Otherwise, it would be fair for browsers to assume there may be a MITM attack in progress. Typing in https:// explicitly (or using HSTS) is the only reliably mechanism against MITM tools like SSLstrip, which would otherwise be capable of downgrading (or preventing an upgrade from http:// to https://).