1

I have a couple of web sites running on localhost with Apache/Ubuntu.

I just successfully installed self-signed certificates for one of these, call it securesite.local. Another non-ssl site, call it insecuresite.local also works as expected.

That is, if I navigate to 

https://securesite.local
http://insecuresite.local

Each of these serves the correct content.

However, if I navigate to http://securesite.local it serves content from insecure.local

My /etc/hosts contains

127.0.1.1 securesite.local
127.0.1.1 insecuresite.local

/etc/apache2/apache2.conf contains 

IncludeOptional sites-enabled/*.conf

It does not contain any explicit references to securesite or insecuresite.

ls /etc/apache2/sites-enabled

securesite.conf insecuresite.conf

insecuresite.conf contains (abbreviated here)

<VirtualHost insecuresite.local:80>
    ServerName insecuresite.local
    ServerAlias insecuresite.local
    # ...

securesite.conf contains (abbreviated here)

<VirtualHost securesite.local:443>
    ServerName securesite.local
    ServerAlias securesite.local
    # ...

I want Apache to refuse connections to securesite.local over any port other than 443, not to fall back to serving content from any other site which does allow traffic on that localhost:80.

Why is this happening and how can I stop it?

Improve this question

2 Answers 2

Reset to default
0

Based on your insecuresite.conf and securesite.conf file, one is listening on port 80 and the other on 443. When you go to http://securesite.local, your browswer is requesting data from port 80 and the only thing being served on port 80 is insecuresite.local.

To fix this you would need to define a virtualhost for securesite.local:80, and have it redirect to https. Also, you will need to make sure you have NameVirtualHost * in your apache2.conf file.

Your two conf files would then look something like the following:

<VirtualHost *:80>
    ServerName insecuresite.local
    ServerAlias insecuresite.local
    # ...

and

<VirtualHost *:80>
    ServerName securesite.local
    ServerAlias securesite.local
    Redirect permanent / https://securesite.local
    # ... 
<VirtualHost *:443>
    ServerName securesite.local
    ServerAlias securesite.local
    # ...

With the NameVirtualHost option enabled, Apache will examine the ServerNames and ServerAliases and serve up data accordingly.

Improve this answer
3
  • Thanks. P.S. I discovered that it has to be *:80 not securesite.local:80 -- is there any way to make Apache drop all connections for hosts which are not explicitly named? As in, if a rogue DNS or hosts file sends foo.com to this IP, that nothing will be served?
    – spraff
    Commented Apr 14, 2016 at 14:46
  • Have you tried doing this? If you add foo.com to your hosts file, does it serve up one of the sites? I would think that it wouldn't since it doesn't match any of your ServerNames/Aliases. If it does, you could try creating another VirtualHost that can act as a catchall. See serverfault.com/questions/583884/…
    – zachzins
    Commented Apr 14, 2016 at 15:11
  • Tried it myself, it did accept rogue names. I can't imagine this would be a big security risk though.
    – zachzins
    Commented Apr 14, 2016 at 15:17
0

Sockets are bound to and connections are made to IP addresses, not hostnames. Since both vhosts have identical IP addresses, there's only one listener socket for both of them, and Apache cannot know which domain will be requested until well after it has accepted the connection – it has to receive the HTTP request (or the TLS SNI handshake).

Files from sites-enabled are read in asciibetical order, so you can set up a "fallback" vhost in a file named sites-enabled/00-default.conf or something like that. (In other words, have it listed before any other vhosts for the same IP.)

Improve this answer
2
  • Surely it can made to accept the socket, determine the host, and then close the socket if the host is wrong? Otherwise this would seem like the sort of thing you hear about in data breaches due to "misconfiguration".
    – spraff
    Commented Apr 14, 2016 at 13:44
  • Also, I created a sites-enabled/000-defualt.conf with <VirtualHost *:80> and restarted, I still get served content from insecure.local when I navigate to http:// secure.local
    – spraff
    Commented Apr 14, 2016 at 13:53

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .