> Am 24.05.2018 um 13:43 schrieb Stefan Priebe - Profihost AG > <[email protected]>: > > Hi Stefan, > > as i've tried todo nearly the same some weeks ago i can tell you what i did.
:-) In the era of DGSVO, some sites simply wish to disappear silently... > Comment inline. > > Am 24.05.2018 um 13:34 schrieb Stefan Eissing: >> So, we are lacking an option here to abort SSL connections without a vhost >> match, it seems. Something like >> >> SSLStrictSNIVHostCheck require-match > > No this will not solve the problem as you may have clients not > supporting sni at all. I tried the same with SSLStrictSNIVHostCheck On > > Nowadays those clients see the wrong cert but still land in the correct > vhost container so they "work". > > What i did is creating a vhost container which is loaded first in config > order: > 1.) Create a fake or general SSL cert (something like a white label cert) > 2.) create the container: > <VirtualHost $IP:443> > # Because this virtual host is defined first, it will > # be used as the default if the hostname is not received > # in the SSL handshake > ServerName unknown > DocumentRoot /usr/local/apache/htdocs/ > > Protocols h2 http/1.1 > > SSLCertificateFile ... > SSLCertificateKeyFile ... > SSLCertificateChainFile ... > SSLEngine on > > ErrorLog /usr/local/apache/logs/htdocs-error.log > TransferLog /usr/local/apache/logs/htdocs-access.log > > # Rewrite to correct hostname using http - vhost container does not > have https > RewriteEngine On > RewriteRule (.*) http://%{HTTP_HOST}/$1 [R=301,L] > </VirtualHost> I thought about this. In case of a general hoster, redirecting to a business site which explains like "this domain is no longer hosted here, blabla", makes sense. In my case, a site "disappeared" that is in no way affiliated with the other vhosts and I would like to avoid the impression that it is. Sure, people who know DNS and IP addresses, can easily find co-located sites, but that is another level. -Stefan
