SSL problem - get rid of default SSL sites

Discussion in 'Installation/Configuration' started by labsy, Mar 4, 2017.

  1. labsy

    labsy Member

    Hi,
    I have a problem in config of either my Web server or ISPConfig with SSL, because all https://*.any-domain.com gets redirected to (random?) SSL-enabled web site. If I - forr testing purposes - disable the particular SSL-enabled web site, then the content of next SSL-enabled web site is displayed.
    For example:
    non-ssl site http://www.non-ssl-site.com works OK
    The sub-domain "autodiscover" does not exist for this site.
    But when I type https://autodiscover.non-ssl-site.com I get SSL cert and content of https://www.ssl-enabled-site.com
    I do not want this.

    Any idea, where I messed up with config?
     
  2. ahrasis

    ahrasis Active Member

    This is a normal behavior and had been answered several times. Do search for it. You basically need to create a vhost of 000-something.
     
  3. labsy

    labsy Member

  4. till

    till Super Moderator Staff Member ISPConfig Developer

    As ahrasis said, this has been answered many times.

    You don't like the way apache and nginx are working when they receive traffic for a non existing host? Then contact the apacje or nginx devs.

    You have 3 options:

    a) Create an SSL default vhost which catches these requests.
    b) Use one IP for SSL sites and another one for non ssl sites.
    c) Enable SSL for all sites.

    Or even a third options, do not add a subdomain to DNS that shall not be reachable.
     
  5. labsy

    labsy Member

    Thank you both for explanation.
    Based on your input I figured out the following SOLUTION:
    1.) For 0000-default web site I edited .htaccess file and denied permission for All:
    HTML:
    <Directory />
        Order Deny,Allow
        Deny from all
        Options None
        AllowOverride None
    </Directory>
    2.) In ISPConfig under Web Site for 0000-default.com I selected Auto Subdomain to "*" and then back to "www". I do not know what exactly it did, but it was before on "www" and returned "403" Denied page, but after the toggle back and forth to "www" again, now it returns "500 Server Error".
    Which is exactly what I wanted, so now my Outlook/Android autodiscover works perfectly! (because it skips Apache default https site and proceeds to proper Autodiscover record)
    Explanation:
    Outlook Autodiscover discovery order gives precedence to HTTP lookups before SRV DNS record. So if the https://autodiscover.domain.com URL exists, it will try to soak SSL certificate from this site and lookup for Autodiscover.xml there. But in my scenario it does not exist and mailbox creation wizard pops-up annoying SSL warning about wrong certificate, which is absolutelly not needed step. Wizard should skip this URL and look further, until it comes to DNS SRV record, where there is proper directive for Autodicover.

    3.) To prevent Apache to reveal details, I added this to /etc/apache2/conf.d/security:
    HTML:
    ServerTokens Prod
    ServerSignature Off
     
    Last edited: Mar 5, 2017
  6. Jesse Norell

    Jesse Norell Well-Known Member

    Another simpler setup would be to put this in an apache2 conf-enabled file:
    Code:
    <If "%{HTTP_HOST} =~ /^autodiscover\./">
        Redirect 500 /
    </If>
    
    (Note: that is untested)
     

Share This Page