How to stop one SSL website from responding to other sites

4 posts / 0 new
Last post
#1 Fri, 08/09/2019 - 08:09
connectsys

How to stop one SSL website from responding to other sites

Hi all

We have a Virtualmin setup with a number of different sites on the same webserver and IP address. This works great for the http side of things but recently one of the users has asked us to set up an HTTPS address as well. I got that working through the UI and it works well for that particular domain but we have noticed that if we access another domain with HTTPS rather than HTTP we are getting sent to the site with SSL set up.

For example, the site we have changed to be HTTPS is called SSLsite.co.uk and another site is called HTTPsite.com. If we go to http://www.HTTPsite.com that works great and if we go to https://www.SSLsite.co.uk or http://www.SSLsite.co.uk that works as well. However if we go to https://www.HTTPsite.com we get an invalid certificate prompt (for www.SSLsite.co.uk) and end up on https://www.SSLsite.co.uk.

I understand why it is probably working as they are all sitting on the same IP address but is there any way of telling the system to fail (404) if somebody tries to go to https://www.HTTPsite.com rather than serve https://www.SSLsite.co.uk? I understand from something else I read that if there were two sites both running https it should be able to differentiate between them on the same IP in a similar way to host headers on http but what about if one of them doesn't have an SSL site as per my example? Is the only way around it to put them on separate IP addresses?

Many thanks in advance

Ollie

Fri, 08/09/2019 - 12:05
OliverF

Are you sure, Ollie, this is specifically an issue with virtualmin?

Of the websites I switched to https when Google enforced ssl requirement to please Chrome, for this going in virtualmin > server config > ssl certificate > let's encrypt, once letsencrypt was successfully installed, what I noticed was that the websites worked BOTH in http:// and https:// (while before there would be an error if attempting https:// ).

I may very well have missed the box to tick to forced https, mind you, so this should count as a "just in case" question, more specifically "just in case the culprit is something other than virtualmin, such as the cdn, cms or such".

Fri, 08/09/2019 - 12:26
codingcrew

did you add a website redirect? After setting up your SSL cert from LetsEncrypt you will need to go to Server Configuration. The in Server Configuration you will find Website Redirects Select Website Redirects Then create a new Website Redirect that reads. Source URL path / Check URL to other website enter your domain as https://yourdomain.com Destination empty HTTP redirect type Default Include sub-paths in redirect? NO Enable redirect for "check" Non-SSL website "uncheck" SSL website.

If you "check" SSL website you will end up in a loop and it will not work right.

Tue, 08/13/2019 - 06:15
connectsys

Hi both, thanks for the responses. I don't think it probably matters but this is a "proper" SSL cert from a commercial provider not a LetsEncrypt. I don't think I've forced SSL on anything. There is a redirect in place in Virtualmin as codingcrew suggested (see https://snag.gy/SvsMTa.jpg), the only difference is that the URL at other website is https://www.somedomain.com/$1 but I don't think that would be causing this problem (I'm no expert though obviously!).

We are using Really Simple SSL in WP to handle the change to SSL but I don't think that would be causing this problem would it? It is like the SSL equivalent of host headers isn't working, I just want the server to fail if I go to https://www.siteb.com (which doesn't have SSL enabled at all) rather than serving me https://www.sitea.com (which does have an SSL site listening on the same IP that www.siteb.com points to).

In answer to the question of whether this is specifically a virtualmin problem, unfortunately I don't know. I've configured everything on this server, website related anyhow, via virtualmin so I'd presume it is something to do with virtualmin or at least there might be a setting in the product that I can change to stop https://www.sitea.com from being server if somebody asks for https://www.siteb.com (which doesn't have an SSL certificate installed).

Thanks a lot

Ollie