Apache: Multiple vhosts, one SSL vhost, and you.

Ran into a problem with a customer who’s set up with Apache virtual hosts set up on both 80 and 443. The issue is, the only thing using SSL is a third-party application that has nothing to do with the customer’s site.

Apache being Apache, can do something really interesting with virtual host setups. If you access the server by a domain that isn’t explicitly mapped to a virtual host, it’ll default to the first virtual host it encountered in its configuration files. This is pretty neat, extremely useful, and – annoying in this case, as attempting to access the site via https is possible (since the domain is pointing to the system) but going to a place it should not be – the third-party application, which is the only SSL vhost set up.

Could’ve set up another vhost for SSL for the main site(s); the problem with that is Apache’s handling of SSL (IP based) and the fact that it’d require yet-another-expense – this would require a valid SSL certificate, as it’s hard to argue that going to https://mycoolsite.foo isn’t customer-facing, even if unintentional.

Solution is simple: quick cluster of rewrite rules to push anything not matching the domain of the third-party, SSL-using application, to non-https:

RewriteEngine On
RewriteCond %{HTTP_HOST} !^crazyapplication.mycoolsite.foo$ [NC]
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}

Naturally, replace crazyapplication.mycoolsite.foo with whatever.

So, what happens after the fact is this: Aside from the single domain we want covered by SSL, we’re simply redirecting https to http.

There are other ways to do this, of course, but tactical use of mod_rewrite generally avoids the backing oneself into a corner syndrome.