Weird SSL Redirect Bug?!

Discussion in 'Installation/Configuration' started by lordimac, Apr 22, 2014.

  1. lordimac

    lordimac New Member

    Hi, I have some Sites with SSL enabled and some with SSL disabled.

    If I try open a Website with https, where SSL is disabled, it redirects to an another Customers Website where SSL is enabled. If I disable SSL for the redirected Website, it just redirects to another SSL enabled Website from yet another Customer.


    Customer 1 with domainx.tld has SSL disabled
    Customer 2 with ssldomainy.tld has SSL enabled
    Customer 3 with ssldomainz.tld has SSL enabled

    If I open now https://domains.tld it redirects me to https://ssldomainy.tld.
    If I disable SSL for ssldomainy.tld and try to open https://domains.tld again it redirects me now to https://ssldomainz.tld.

    This happens for every Customer Website where SSL is disabled!

    Don't know whats wrong here, I checked the Customers Apache Config Files and there is no "<VirtualHost *:443>" Statement when SSL is disabled. Shouldn't Apache stop here and not answer to an Website where SSL is disabled without the SSL VirtualHost?

    Which Module/Config could cause this? Any Ideas?

    Running Debian Wheezy and ISPConfig
    Using StartSSL Certificates (SNI)
    All Websites are running with PHP-FPM
    Apache/2.2.22 (Debian)
    Installed with this Howto:

    edit: Curl Verbose Request to https://www.domainx.tld:

    curl --insecure --verbose --head --location https://www.domainx.tld
    * Adding handle: conn: 0x7f83aa00d400
    * Adding handle: send: 0
    * Adding handle: recv: 0
    * Curl_addHandleToPipeline: length: 1
    * - Conn 0 (0x7f83aa00d400) send_pipe: 1, recv_pipe: 0
    * About to connect() to www.domainx.tld port 443 (#0)
    *   Trying
    * Connected to www.domainx.tld ( port 443 (#0)
    * TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256
    * Server certificate: www. ssldomainy.tld (jp54mYE06f8K8h8D)
    * Server certificate: StartCom Class 1 Primary Intermediate Server CA
    * Server certificate: StartCom Certification Authority
    > HEAD / HTTP/1.1
    > User-Agent: curl/7.30.0
    > Host: www.domainx.tld
    > Accept: */*
    < HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    < Date: Tue, 22 Apr 2014 00:55:59 GMT
    Date: Tue, 22 Apr 2014 00:55:59 GMT
    * Server Apache/2.2.22 (Debian) is not blacklisted
    < Server: Apache/2.2.22 (Debian)
    Server: Apache/2.2.22 (Debian)
    < X-Powered-By: PHP/5.4.4-14+deb7u8
    X-Powered-By: PHP/5.4.4-14+deb7u8
    < X-Pingback: https://ssldomainy.tld/xmlrpc.php
    X-Pingback: https://ssldomainy.tld/xmlrpc.php
    < Vary: Accept-Encoding
    Vary: Accept-Encoding
    < Content-Type: text/html; charset=UTF-8
    Content-Type: text/html; charset=UTF-8
    < Content-Language: de
    Content-Language: de
    * Connection #0 to host www.domainx.tld left intact
    edit2: SNI is enabled in ISPConfig
    APache Log gives the following: "[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)" so the Apache also Supports SNI. My Browser as well.

    edit3: Tested it on my old Server and guess what .. it was nearly same there but never recognized it. On my old Server it got redirected to the Froxlor vHost. So I guess this is normal. Is there any way to tell Apache that he should redirect to the ISPConfig SSL VHost instead of another Website from another Customer?
    Last edited: Apr 22, 2014
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    What you describe is normal for apache and not a bug. There are several ways to circumvent this problem:

    a) Use one IP for all ssl sites and another one for non ssl sites.
    b) In case that no ssl vhost exist were IP and domain match, apache will show you the first website that uses ssl on that ip. you can use that behaviour to create a default vhost, just give this ssl website a domain name that is always the first in alphabet (the domain does not have to exist) like "000domain.tld".

Share This Page