After upgrading to Webmin 1.900 and VirtualMin 6.05 on Debian 9, I noticed that adding a new virtual host starts hijacking traffic to other virtual hosts. With the help from https://www.virtualmin.com/documentation/web/troubleshooting#the_wrong_s..., I managed to pinpoint the problem into the newly created configurations in /etc/apache2/sites-enabled/*.conf.
All old configurations have the non-SSL VirtualHost entries defined as VirtualHost *:80, and the SSL entries as VirtualHost ip-address:443. The newly added host was assigned the format VirtualHost ip-address:port for both SSL and non-SSL. This caused the requests to be mishandled. After editing the configuration manually to the same *:80 format as the old ones, the problem was solved.
Has something changed in the way the entries are generated? Which format is correct?