Need to correct my last post, the IP does indeed make a difference as I first guessed.
It will find the first vhost conf file with :443 on that particular IP.
I’ve cleared out all SSL sites form my main shared IP and now when going to a site on that IP with HTTPS I get a 403 page:
Forbidden
You don't have permission to access / on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
I moved one regular non-SSL site into the SNI shared IP to test, and when I go to that one on HTTPS, it shows the first site on that IP alphabetically, as expected.
So once I move that site back to the main Shared IP, the only way a bad SNI request could come in on the SNI Shared IP is if someone connects to it by typing in the IP address, but that would be an issue with any shared IP, SSL or not.
To make this a bit cleaner, I made a custom default 443 VHOST for the main Shared IP to redirect back to the non-SSL domain, versus the 403 page I talked about above.
Where 111.222.333.444 is the Shared IP hosting non-SSL domains.
*Technically you could also add the SNI Shared IP here, but it should be unnecessary as all the domains on this IP will have SSL setup.
Name the file something like “vhost_000_SSL_fix.conf” so that it loads first.
<VirtualHost 111.222.333.444:443>
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
SSLEngine on
SSLCACertificatePath /home/somesite/var/somesite.com/ssl
SSLCertificateKeyFile /home/somesite/var/somesite.com/ssl/somesite.com.priv.key
SSLCertificateFile /home/somesite/var/somesite.com/ssl/somesite.com.crt
SSLCACertificateFile /home/somesite/var/somesite.com/ssl/somesite.com.chain.crt
</VirtualHost>
Obviously the SSL I’m using here will get a domain name mismatch, but if you click to ignore the warning you’ll be redirected to the non-SSL version of the site you intended to go to.
In closing, I’m not really sure it’s worth it to have this special SNI Shared IP. Technically with that custom Vhost above, they could be mixed into the main Shared IP and would never get mixed up anymore.
So I might switch it back at some point, but it does feel slightly cleaner mentally having that separate.