Personally, I am looking for an option where I do not have to keep "old" vhosts around.
Also, I would like to avoid that someone points "beastlovers.net" to my ip address and people get the greenbytes.de homepage when follwing some spam/phishing mails (this is a theoretical thread model, rest assured). -Stefan > Am 24.05.2018 um 13:50 schrieb Barry Pollard <barry_poll...@hotmail.com>: > > > >> On 24 May 2018, at 12:44, Eric Covener <cove...@gmail.com> wrote: >> >> On Thu, May 24, 2018 at 7:34 AM, Stefan Eissing >> <stefan.eiss...@greenbytes.de> wrote: >>> >>> >>>> Am 24.05.2018 um 13:28 schrieb Eric Covener <cove...@gmail.com>: >>>> >>>> On Thu, May 24, 2018 at 7:23 AM, Stefan Eissing >>>> <stefan.eiss...@greenbytes.de> wrote: >>>>> Do we have a configuration option to allow https://hostname/ only to >>>>> matching vhosts without any default fallback? >>>>> >>>>> Scenario: >>>>> - a site with vhost A and B >>>>> - vhost B is taken out, DNS still points there (for a while) >>>>> - browsers opening https://B/ will get the certificate of A and complain >>>>> >>>>> I do not want to present a "wrong" certificate, I want the SSL connection >>>>> to fail. Does that make sense? >>>> >>>> I don't think it exists for SSL or non-SSL today -- you have to >>>> capture them in the first-listed VH for a address/port combo. >>> >>> Which, in case of SSL, needs to present a certificate that does not match >>> and browsers issue their "not trustworthy" warnings. Where, in reality (ha, >>> reality on the internet!) the site does not exist and it is impossible to >>> make a secure connection to it. >>> >>> So, we are lacking an option here to abort SSL connections without a vhost >>> match, it seems. Something like >>> >>> SSLStrictSNIVHostCheck require-match >> >> a more user oriented option: >> >> SSLUseDefaultCertificate OFF|ON >> Default: ON >> When the server cannot find a matching virtual host for an SSL >> request, it will uses the certificate configured in the default >> virtual host for an address:port combination. Setting this directive >> to OFF will instead { abort the connection, send an alert, halt and >> catch fire}. > > Sorry for butting in but I’d personally prefer an option like this: > > AllowConnections off > > Or > > DropConnection on > > Think that is more flexible as that way you could disable some specific hosts > and leave the default there. Or you could have the default as off. This would > also allow you to do the same for HTTP sites. > >
