Apache SSL Virtual Host

I have installed Apache and OpenSSL and it seems to work great. One problem though.

I want a certain vhost to be protected, i.e. URL But unfortunately when I connect to URL I arrive at secure.domain.com (which is on the same IP).

Doesn't Apache check for ServerName when someone connects through SSL? Or is this perhaps a limitation in SSL?

I would like it to return a Not Found message if someone attempts to SSL-connect to any other vhost than secure.domain.com.

>> I would like it to return a Not Found message

Sending 404 in return is inappropriate. Use a customized 400 error instead.

>> Doesn't Apache check for ServerName when someone connects through SSL?

When the cn (common name) mismatches, but the users explicitly GRANT the cert, then they will see the content of your default SSL site.

>> Or is this perhaps a limitation in SSL?

Yes, or you can say it's a feature.

Here is a workaround using mod_rewrite (my favorite):

<IfDefine SSL>
<VirtualHost _default_:443>
ServerName secure.domain.com
...
...
RewriteEngine on
RewriteCond %{HTTP_HOST} !^secure\.domain\.com$ [NC]
RewriteRule ^(.+) /server/path/to/error.cgi [T=application/x-httpd-cgi,L]
</VirtualHost>
</IfDefine>

Your error.cgi will not be revealed to visitors, and here is how it may look like:

#!/usr/bin/perl

print "Content-type: text/html\n\n";
print "<html><body>\n";
print "<h1>Bad Request</h1>\n";
print "This site does not support SSL. ";
print "Please <a href=\"http://$ENV{'HTTP_HOST'}$ENV{'REQUEST_URI'}\">click here</a>\n";
print "</body></html>";

As you can see, say a user visits https://www.vhosts.com/path/to/foo.html , he will then be asked to click on the link to visit http://www.vhost.com/path/to/foo.html instead. In addition, say https://secure.domain.com/path/to/foo.html exists coincidentally, that user will not be redirected to it, just because your error.cgi will intercept the request.

Let me know if you have any question.