SNI issue on shared IP with non-SSL sites

I noticed Google crawling a page by the wrong domain name. This is when I realized that if a site is contacted via HTTPS, which doesn’t have SSL setup it will default to the first domain alphabetically that has SSL setup.

My idea now is to have a main shared IP for non-SNI sites and then a second shared IP for SNI sites.
Does this make sense as a good solution to my problem?

Thanks for your advice,


Hi Justin

I wondered how long before this arose

Google and few other browsers are now flagging if not accessing by https

Your correct in SNI ssl alphabetical list, my solution was to setup 1sh as a domain.

Your idea is sound, but please remember websites I believe are now been scored lower on google if no https is available

It might be more prudent to advise clients to upgrade to LE ssl and job done, thereby giving them the extra benefit of higher google ranking

I hope that helps a little

Many thanks


Yeah, the idea is to start moving them to SSL, especially if they are using a CMS with a login / dashboard (like wordpress). But these things take time.

So for now I will create the second Shared IP address and put all SNI sites on that IP so that there is no confusion with Google, etc.

Thanks for the confirmation on this issue!

Hi Justin

Sorry, actually thinking about SNI, I’m not sure you can separate SNI to differing ip.

It maybe a case of testing SNI in this setup

I suspect SNI works on all ip addresses but could be wrong.

I’ll test tommorow if you can wait, or if you have time tonight, you could test

I believe https requests are hidden due to them been encrypted

Many thanks and have a lovely night

Many thanks


Well it looks like the IP doesn’t make a difference. It still will pull the first website with SSL from the list, not matter the IP.

So I think the only fix is to make a dummy site vhost like you did.

Need to correct my last post, the IP does indeed make a difference as I first guessed.
It will find the first vhost conf file with :443 on that particular IP.

I’ve cleared out all SSL sites form my main shared IP and now when going to a site on that IP with HTTPS I get a 403 page:


You don't have permission to access / on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

I moved one regular non-SSL site into the SNI shared IP to test, and when I go to that one on HTTPS, it shows the first site on that IP alphabetically, as expected.
So once I move that site back to the main Shared IP, the only way a bad SNI request could come in on the SNI Shared IP is if someone connects to it by typing in the IP address, but that would be an issue with any shared IP, SSL or not.

To make this a bit cleaner, I made a custom default 443 VHOST for the main Shared IP to redirect back to the non-SSL domain, versus the 403 page I talked about above.

Where 111.222.333.444 is the Shared IP hosting non-SSL domains.
*Technically you could also add the SNI Shared IP here, but it should be unnecessary as all the domains on this IP will have SSL setup.

Name the file something like “vhost_000_SSL_fix.conf” so that it loads first.

<VirtualHost 111.222.333.444:443>
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

SSLEngine on
SSLCACertificatePath /home/somesite/var/
SSLCertificateKeyFile /home/somesite/var/
SSLCertificateFile /home/somesite/var/
SSLCACertificateFile /home/somesite/var/

Obviously the SSL I’m using here will get a domain name mismatch, but if you click to ignore the warning you’ll be redirected to the non-SSL version of the site you intended to go to.

In closing, I’m not really sure it’s worth it to have this special SNI Shared IP. Technically with that custom Vhost above, they could be mixed into the main Shared IP and would never get mixed up anymore.
So I might switch it back at some point, but it does feel slightly cleaner mentally having that separate.