Non SSL websites redirect to SSL site if https is used in address bar.

Not sure if this is by design, my poor setup or both, but if I inadvertently type in https in the address bar before a non secure domain on the server, I end up with a certificate error (understandable as the certificate is configured for another site - see screenshot https_issue.jpg). But I wouldn't have thought that this shouldn't even happen, selecting rexnrossbarber.com.au (an unsecured site) should take me to it (and it does). Trouble is if I type in https://www.rexnrossbarber.com.au it tries to connect with the secured site of https://accessories4.me. I'm also attaching a screenshot of the redirect setup for accessories4.me and rexnrossbarber.com.au (incidentally it happens to all sites on the server as well).

Any ideas?

Regards Roger

Status: 
Closed (fixed)

Comments

This is kind of inevitable due to the way SSL and webservers work - if you enter an https URL for a domain that doesn't have SSL enabled, you will get the website of the first webserver on that IP.

Howdy -- thanks for contacting us!

You're not the only one to ask about that, but that's unfortunately how Apache handles domains that don't have SSL certificates.

If you try to access an HTTPS:// URL, and that domain hasn't been setup with an SSL certificate, Apache will provide you with the default SSL domain for the server.

Your options there are that you could setup an SSL certificate for each domain (which can be free with Let's Encrypt), you could move all the domains with no SSL to one particular IP address. Or you could just run with things the way they are, perhaps adding in a different default domain of some sort.

Sorry I wish there were a better answer we could offer, but it's not possible to redirect to a different domain when SSL is in use, due to how SSL works.

Thanks for the quick response. So perhaps I could just add a redirect to take the domain back to the non SSL version if they inadvertently type in https. Would this work do you think?

Regards Roger

The best thing you can do is enable the SSL feature for the domain, and then request an SSL cert for it from Let's Encrypt.

Yep just did that and it works. Many thanks.

Similar issue, but impractical to set all the non SSL sites up as SSL right now and seeing a growing number of SNI 'hits' in the wrong domain.

So just created a dummy sub domain a1.mydomain.com so it is first and added a index.php

<?php
   header('Location: http://' . $_SERVER[SERVER_NAME]);
   exit;

Any one hits that domain they get sent to the home page of the non https site

I guess there are several ways e.g. htaccess of in the apache config to achieve the same result, but this was quick and easy for me :)

You can't imagine the situation, but where one site is a wordpress multi site with domain mapping so there is no SSL on the server for those domains makes it difficult unless you manually add aliases to Virtualmin, which is impractical.