Hallo everybody,
today I've been experiencing this problem.
I have cca 10 domains sharing one self-signed SSL certificate. This morning I decided to create virtualhost with non shared certificate, signed by CA. As everybody knows, the only way(s) is to assing private IP or run HTTPS on a different port. The different port was a way I decided to try... So I set port 444 instead of 443, I got free signed certificate and installed via Virtualmin's enviroment 'Manage SSL Certificate'. Everything is fine and working well. My URL https://www.example.com:444 reports signed and verified certificate. But..
The problem I want solve is, when somebody try https://www.example.com (without specified port), he is transffered to the first SSL enabled virtualhost with self-signed cert which means in some browsers 'red error' :/ He is still on domain https://www.example.com, but he views the content of the other virtualhost. So my first idea (and I guess yours too) is simply redirect all request @https://www.example.com TO https://www.example.com:444 -- seems like a easy job :-), but..
I didn't figured out, how to get this work properly, so I want to ask you, please, don't you know how to?
I TRIED: 1) Adding virtualhost listening on 443 to apache conf of this new virtual, and via RewriteRules redirect all requests to URL with :444 port. It 'works' at half, because the browser first asks on self-signed cert = error. No clean way. 2) Adding redirect rules to the first SSL enabled virtualhost, this works the same way like the 1)
I have some suspicion that this might solve some proxying, but I have absolutely no skills with it, so thanks for any help.
(+little question for the end, is somehow available to show https://example.com:444 content without being port visible?)
Howdy,
Yeah, the problem is that using an alternate port for SSL isn't the best way to handle that, using a dedicated IP is the best way to provide SSL for a domain.
The trouble is that the SSL connection is negotiated before any content or configuration is read -- so it's not actually possible to solve the problem you're describing.
That is, if someone connects to https://example.com, you could add in a .htaccess file or similar to redirect the user to port 444, but they will always receive an SSL warning before that redirect occurs.
Now, you could add a redirect so that someone connecting to port 80 for that domain is redirected to port 444, but it's not possible to do that with port 443 in a way that prevents a warning from popping up.
My suggestion would be to splurge on a new IP address for this particular domain, that would solve all the problems you're describing above :-)
-Eric
I'm thinking about one possible solution:
1) disable all 'shared' SSL
2) set only one virtual with SSL on port 443 with signed cert!
3) on this one virtual set the all other redirects (eg. https://example.com to https://example.com:444)
4) every other virtual, where we want SSL and we have no private IP available, we set some unique port for SSL
This I guess can work without any errors. But the point still is: is there any other way, how to redirect the https request before it gets on the apache conf?
Another thing that should be considered: Is better to have self-signed HTTPS on the default port 443, or have signed by CA on non-standard port? (I suppose the unavailability of IP addresses) What is more secure (no matter how difficult setting is)?
Thank you for your opinions..
I don't think what you try can be done.
But regarding your statement:
"As everybody knows, the only way(s) is to assing private IP or run HTTPS on a different port."
this is not correct. Newer version of apache come with mod_ssl version that supports SNI ("name-based SSL"), which works pretty much with all modern browsers. Maybe sufficient in your case?