I installed Virtualmin a few days ago so I can host a few websites of some friends of mine. My virtual host list looks like this:
If I request a subdomain that does not exist (e.g. foo.domain-c.tld) then I see the contents of a.domain-a.tld. I would like to get the same response (or actually no response) for non existing subdomains as here: http://non-existing.virtualmin.com/ - how can I achieve that?
If I request a domain (or subdomain) with https (e.g. https://domain-a.tld) although I haven't setup SSL for this domain then I see the contents of the first domain that actually has a SSL Certificate (which is domain-b.tld in my case). Should I create Lets-Encrypt-Certs for every vhost or is there another way to prevent this behaviour from happening? Maybe a 301 Redirect to http if https isn't available for the requested vhost?
With the way Apache works, if the DNS for a domain or sub-domain resolves to it, but it hasn't been configured with a website for that particular domain, it will show the default domain for that IP address.
My suggestion would be to choose a domain you want as the default, or maybe setup a generic site for that default, which will be seen anytime Apache receives a request for a domain it doesn't yet host.
To set a domain as the default, go into Server Configuration -> Website Options, and there, you can set it to be the default for the IP address.
Thanks for your fast reply eric! I did what you've described and it's working so far. The only problem is that the server is responding with status code 200. How can I make this default host return an error page with 404 status code?
I also checked the DNS Settings of one of the domains and found a record with a wildcard hostname:
*.domain-c.tld IN A xx.xxx.xx.xx. I'm wondering what the preferred solution to my problem is: removing wildcard records or setting up a catchall vhost like you described it?
There isn't a way to show a 404 error in those cases... if the domain resolves to an IP address that points to your server, then your server is going to respond, possibly with the default website in Apache.
It sounds like disabling that wildcard option (Website matches all Sub-Domains) may be what you're after.