Results 1 to 6 of 6
  1. #1
    Join Date
    May 2004
    Location
    Miami
    Posts
    1,276
    Points
    21,850
    Level
    64

    Exclamation SNI issue on shared IP with non-SSL sites

    I noticed Google crawling a page by the wrong domain name. This is when I realized that if a site is contacted via HTTPS, which doesn't have SSL setup it will default to the first domain alphabetically that has SSL setup.

    My idea now is to have a main shared IP for non-SNI sites and then a second shared IP for SNI sites.
    Does this make sense as a good solution to my problem?

    Thanks for your advice,

    Justin
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  2. #2
    Join Date
    Apr 2012
    Posts
    2,028
    Points
    19,057
    Level
    60
    Hi Justin

    I wondered how long before this arose

    Google and few other browsers are now flagging if not accessing by https

    Your correct in SNI ssl alphabetical list, my solution was to setup 1sh as a domain.

    Your idea is sound, but please remember websites I believe are now been scored lower on google if no https is available

    It might be more prudent to advise clients to upgrade to LE ssl and job done, thereby giving them the extra benefit of higher google ranking

    I hope that helps a little

    Many thanks

    John

  3. #3
    Join Date
    May 2004
    Location
    Miami
    Posts
    1,276
    Points
    21,850
    Level
    64
    Yeah, the idea is to start moving them to SSL, especially if they are using a CMS with a login / dashboard (like wordpress). But these things take time.

    So for now I will create the second Shared IP address and put all SNI sites on that IP so that there is no confusion with Google, etc.

    Thanks for the confirmation on this issue!
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  4. #4
    Join Date
    Apr 2012
    Posts
    2,028
    Points
    19,057
    Level
    60
    Hi Justin

    Sorry, actually thinking about SNI, I'm not sure you can separate SNI to differing ip.

    It maybe a case of testing SNI in this setup

    I suspect SNI works on all ip addresses but could be wrong.

    I'll test tommorow if you can wait, or if you have time tonight, you could test

    I believe https requests are hidden due to them been encrypted

    Many thanks and have a lovely night

    Many thanks

    John

  5. The Following User Says Thank You to d2d4j For This Useful Post:


  6. #5
    Join Date
    May 2004
    Location
    Miami
    Posts
    1,276
    Points
    21,850
    Level
    64
    Well it looks like the IP doesn't make a difference. It still will pull the first website with SSL from the list, not matter the IP.

    So I think the only fix is to make a dummy site vhost like you did.
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  7. #6
    Join Date
    May 2004
    Location
    Miami
    Posts
    1,276
    Points
    21,850
    Level
    64
    Need to correct my last post, the IP does indeed make a difference as I first guessed.
    It will find the first vhost conf file with :443 on that particular IP.

    I've cleared out all SSL sites form my main shared IP and now when going to a site on that IP with HTTPS I get a 403 page:
    Code:
    Forbidden
    
    You don't have permission to access / on this server.
    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
    I moved one regular non-SSL site into the SNI shared IP to test, and when I go to that one on HTTPS, it shows the first site on that IP alphabetically, as expected.
    So once I move that site back to the main Shared IP, the only way a bad SNI request could come in on the SNI Shared IP is if someone connects to it by typing in the IP address, but that would be an issue with any shared IP, SSL or not.

    ----


    To make this a bit cleaner, I made a custom default 443 VHOST for the main Shared IP to redirect back to the non-SSL domain, versus the 403 page I talked about above.

    Where 111.222.333.444 is the Shared IP hosting non-SSL domains.
    *Technically you could also add the SNI Shared IP here, but it should be unnecessary as all the domains on this IP will have SSL setup.

    Name the file something like "vhost_000_SSL_fix.conf" so that it loads first.

    <VirtualHost 111.222.333.444:443>
    RewriteEngine On
    RewriteCond %{HTTPS} on
    RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    SSLEngine on
    SSLCACertificatePath /home/somesite/var/somesite.com/ssl
    SSLCertificateKeyFile /home/somesite/var/somesite.com/ssl/somesite.com.priv.key
    SSLCertificateFile /home/somesite/var/somesite.com/ssl/somesite.com.crt
    SSLCACertificateFile /home/somesite/var/somesite.com/ssl/somesite.com.chain.crt
    </VirtualHost>

    Obviously the SSL I'm using here will get a domain name mismatch, but if you click to ignore the warning you'll be redirected to the non-SSL version of the site you intended to go to.

    ----

    In closing, I'm not really sure it's worth it to have this special SNI Shared IP. Technically with that custom Vhost above, they could be mixed into the main Shared IP and would never get mixed up anymore.
    So I might switch it back at some point, but it does feel slightly cleaner mentally having that separate.
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  8. The Following User Says Thank You to Justec For This Useful Post:


Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •