The whole point of virtual hosts is you can have multiple of them - that is the whole way Apache configuration works to have multiple sites being served from the same server... currently I have servers with 20+ virtualhost configurations.

Having a single virtual host is OK - but if you have more than one virtualhost (or you have multiple domains for a single virtualhost - we do on sandbox/dev/staging/live sites) you would need to write a long set of rewritecond entries..


The configuration I set up is the simplest extensible one...



On 08/02/2018 17:51, Houser, Rick wrote:

I didn’t think you could have two virtualhost entries with the same IP/port.  I would probably do this within with a single VirtualHost, myself.  Something like this combined with the RewriteRule:

RewriteCond %{HTTP_HOST} !^THE.CORRECT.HOSTNAME$

Rick Houser

Web Engineer

*From:*Dr James A Smith [mailto:j...@sanger.ac.uk]
*Sent:* Thursday, February 08, 2018 12:18
*To:* users@httpd.apache.org
*Subject:* Re: [users@httpd] SSL Certificate Validation

*EXTERNAL EMAIL*

The easiest way to do this is to make sure you have the correct hostname in the virtual host - the one that matches your certificate and another virtual host which has no hostname in it to catch all the other requests.

<VirtualHost *:*>
  .... return a forbidden response for all requests!
  RewriteEngine On
  RewriteRule ^(.*)$ - [L,F]
</VirtualHost>

<VirtualHost *:*>
  ServerName your.real.host.com
  ... real config...
</VirtualHost>

On 08/02/2018 16:46, Houser, Rick wrote:

    In addition to fixing your certificate, you may have a reason to
    make sure the host header they send is correct.  If they are
    reaching you via an alternate hostname or something that’s getting
    them to the correct IP, but shouldn’t be supported for your
    service, stopping them from doing that might take aware the
    incentive they see to disabling the hostname verification in the
    first place.

    Rick Houser

    Web Engineer

    *From:* Eric Covener [mailto:cove...@gmail.com]
    *Sent:* Thursday, February 08, 2018 11:19
    *To:* users@httpd.apache.org <mailto:users@httpd.apache.org>
    *Subject:* Re: [users@httpd] SSL Certificate Validation

    *EXTERNAL EMAIL*


    On Thu, Feb 8, 2018 at 7:36 AM, Belmona, Nizar
    <nbelm...@cscgroup.com <mailto:nbelm...@cscgroup.com>> wrote:

        Thanks Rainer and Daniel.

        Sorry for the confusion and please let me clarify.

        We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t,
        the Apache service launches fine and the users/developers are
        able to connect however developers through their code bypass
        the Server SSL certificate verification. I am not worried
        about the client certificate validation since we are not using
        it,  all the concern is we need to stop users bypassing the
        Server SSL verification who are claiming they have to bypass
        it since the certificate name doesn’t match the server name in
        the link being called. Kindly note that configuration in
        hhtpd.conf is:

    ​You can't stop them unless you control the client.  You only
    control the server. The only thing you could do is provide a
    better certificate.

    ​



-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.





--
The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.

Reply via email to