I’ve a problem with my Apache configuration. I use only one Apache instance in order to serve several web site and php application.
One php application have installed an SSL certificate: I used this code in my virtual host in order to redirect all http requests on https:
<VirtualHost *:80> ServerName app.domain1.com Redirect permanent / https://app.domain1.com/ </VirtualHost> SSLStrictSNIVHostCheck on <VirtualHost *:443> ServerName app.domain1.com DocumentRoot [...] <Directory [...]> Options FollowSymLinks MultiViews AllowOverride All Order deny,allow Allow from all </Directory> # ssl certificate SSLEngine on SSLProtocol all SSLCertificateFile [path to .crt file] SSLCertificateKeyFile [path to .key file] SSLCACertificateFile [path to .crt file] # x-frame-option Header always append X-Frame-Options SAMEORIGIN # sts Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" </VirtualHost>
This configuration works: if I go to app.domain1.com Apache redirects this request on https://app.domain1.com and the certificate works correctly.
I have other virtual host configuration for other web site on the same Apache server without SSL (for example www.domain2.com). If I go to https://www.domain2.com I receive a security message because the certificate (!!!) isn’t related to domain2.com but it is related to domain1.com.
How can I reject all https request for a non https domain?