Apache Lounge



Forum Index Downloads Search Register Log in  RSS Apache Lounge

Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.



A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.

Apache reverse proxy default site

Post new topic   Reply to topic    Apache Forum Index -> Apache

View previous topic :: View next topic  
Author Message

Joined: 14 Sep 2018
Posts: 1

PostPosted: Fri 14 Sep '18 20:45    Post subject: Apache reverse proxy default site Reply with quote


I've got an Apache reverse proxy running on Ubuntu Server 16.04 in combination with Let's Encrypt certbot. The proxy itself is configured with vhosts and pointing to some test servers which reside on my lan. Outside dns for the testservers is pointing to the proxy and the testservers are named something like this: sub1.domain.tld, sub2.domain.tld . The proxy itself doesn't have a domain.tld assigned, only an internal server name.

My reverse proxy is exposed to the internet on port 80 and 443 which is ok. When someone, like for example a hacker who just did a portscan, enters http://publicip of the proxy in a browser, the default 000-default site gets presented, which is expected and fine (I created an empty index.html). When the same hacker enters https://publicip of the proxy in a browser, Apache loads the certificate of the first correct vhost and presents that to the browser/end user (probably because it doesn't have a certificate itself). This obviously gives a certificate error to the end user since the certificate wasn't handed out for an ip but a domain. I have two problems with
Apache presenting that certificate: 1. it's messy and 2. the hacker is able to see the servername of the first correct vhost by checking the presented certificate info (even when the vhost is walled off with a location ip directive).

My question is pretty simple: how can I prevent someone with malicious intents from accessing https://publicip ?
I tried disabling the default sites with a2dissite default-ssl.conf but this gives the following behaviour:
enabled: index.html of /var/www/index.html gets loaded which is good but unwanted certificate behaviour still occurs.
disabled: index.html of the first correct vhost gets loaded and unwanted certificate behaviour also occurs.
I tried doing

RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
inside default-ssl.conf to redirect to http but that doesn't work either.

Note: I read somewhere that leaving 000-default.conf enabled is a good security practice and maybe I'm doing basic things wrong in general, I'm still trying to get familiar with reverse proxy.
Back to top
James Blond

Joined: 19 Jan 2006
Posts: 6597
Location: Germany, Next to Hamburg

PostPosted: Tue 16 Oct '18 22:38    Post subject: Reply with quote

You can't prevent that. The SSL connection and the cert is done before the connection to the vhost. Accessing by the IP can only result in a wrng cert.
Back to top

Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1