Apache, mixing http and https virtual hosts

by

Summary

The issue at hand is Apache’s default behavior of directing HTTPS requests to the first available SSL virtual host when multiple virtual hosts are configured. This causes problems when trying to host one HTTPS site and multiple HTTP sites on the same server, as HTTPS requests for the HTTP sites are redirected to the HTTPS site. The goal is to configure Apache to host both one HTTPS site and the other five as only HTTP without this SSL fallback behavior.

Root Cause

The root cause of this issue is:

  • Apache’s SSL configuration: When Apache receives an HTTPS request, it checks the SSL configuration of the virtual hosts to determine which one to serve.
  • Virtual host matching: If no exact match is found, Apache defaults to the first virtual host with an SSL configuration.
  • SSL certificate configuration: The use of self-signed certificates for the HTTPS site contributes to the issue, as browsers object to self-signed certificates for the other sites.

Why This Happens in Real Systems

This issue occurs in real systems due to:

  • Misconfigured virtual hosts: Incorrectly configured virtual hosts can lead to unexpected behavior, such as the SSL fallback issue.
  • Insufficient SSL configuration: Failing to properly configure SSL for each virtual host can cause Apache to default to the first available SSL virtual host.
  • Browser behavior: Browsers’ default behavior of trying HTTPS first can exacerbate the issue.

Real-World Impact

The real-world impact of this issue includes:

  • Unintended redirects: Users may be redirected to the wrong website, potentially causing confusion and security concerns.
  • Browser warnings: Self-signed certificates can trigger browser warnings, deterring visitors from accessing the sites.
  • Increased complexity: Working around the issue by setting up multiple servers or auto-generated certificates can add unnecessary complexity.

Example or Code

# Example Apache configuration

    ServerName example1.com
    # HTTP configuration



    ServerName example2.com
    # HTTPS configuration with self-signed certificate
    SSLEngine on
    SSLCertificateFile /path/to/cert
    SSLCertificateKeyFile /path/to/key

How Senior Engineers Fix It

Senior engineers fix this issue by:

  • Configuring separate SSL virtual hosts: Creating separate virtual hosts for each site, with their own SSL configurations.
  • Using a default SSL virtual host: Configuring a default SSL virtual host to catch any unexpected HTTPS requests and return an error.
  • Disabling SSL for non-HTTPS sites: Ensuring that SSL is disabled for the non-HTTPS sites to prevent Apache from defaulting to the first available SSL virtual host.

Why Juniors Miss It

Junior engineers may miss this issue due to:

  • Lack of experience with Apache configuration: Inadequate understanding of Apache’s configuration options and default behaviors.
  • Insufficient testing: Failing to thoroughly test the configuration, leading to unexpected behavior.
  • Overlooking SSL configuration: Neglecting to properly configure SSL for each virtual host, contributing to the SSL fallback issue.