Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Unmapped subdomain redirects to first SSL configured domain

Discussion in 'Security' started by kitchin, Jan 27, 2019.

  1. kitchin

    kitchin Member

    Joined:
    Sep 18, 2011
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Really two issues:

    1. Unmapped subdomain https redirects to first SSL config'd site, instead of cgi-sys/defaultwebpage.cgi.

    2. This traffic is not logged (or not where you would see it).

    We have `example.tld` set up in DNS the normal way with `*.example.tld` mapped to the IP of our WHM/Cpanel. We are getting lot of garbage probing traffic to random subdomains because while

    `http://garbage.example.tld` redirects to `.../cgi-sys/defaultwebpage.cgi` with the big Sorry! message,

    `https://garbage.example.tld` redirects to apparently the first configured SSL site anywhere in WHM/Cpanel, like say `https://alpha.tld`. (In a browser, click through the SSL warning.) I think it's the first SSL, based on the interesting & informative cPanel support in this thread:
    Default page for removed SSL host

    So this thread is about the more general case, of any unmapped subdomain (or domain) pointing to the I.P., and its consequences.

    * Firstly, you will not see this traffic in the cPanel account's `access-logs`, because those are separated by the subdomains expected to have traffic. I found it by using an `index.php` to log traffic to a file. And I suppose it's also in the server root logs.

    * Your first config'd SSL site becomes a honeypot for all kinds of unexpected traffic: network probes, people looking for open IoT devices (webcams, refrigerators, etc.), people using USER_AGENT string to try to mess up php's `$_SERVER` variable, and anything else they can think of, or click a bot to do.

    * The above-mentioned thread says this is how Apache works, due to SNI (shared IP for SSL). In my case, it's Litespeed, but that could certainly be it since LS is designed to be the same as Apache. I have only tested one server, and it just so happened that my first domain alphabetically is dormant, which is how I noticed this. Our server uses external DNS, but I guess that doesn't matter.

    Not sure what cPanel can do, but it's certainly something to look out for, if, say you get `error_log` entries that don't match anything in your `access-logs`. Unlogged traffic seems like a problem to me.
     
    #1 kitchin, Jan 27, 2019
    Last edited: Jan 27, 2019
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,707
    Likes Received:
    436
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    This is actually the default behavior for apache. If a domain does not include an SSL VirtualHost when attempting to access that domain over https Apache will load the first https VirtualHost in the configuration file for that IP address. The way to avoid this would be to ensure that all sites have an SSL VirtualHost which can be done with at the very least (not recommended) a self-signed certificate if you don't want to supply a 90-day free certificate.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. BillBuilt

    BillBuilt Member

    Joined:
    Mar 6, 2018
    Messages:
    18
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I think the question is more directed to the notion that these domains (sub-domains) do not exist and never have existed. Is the only recourse to use wildcard certs for all domains?
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,707
    Likes Received:
    436
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    The behavior for apache is the same in either case. Without an SSL VirtualHost for the domain or in this case subdomain it's always going to load the first SSL VirtualHost on that IP in the configuration. You don't necessarily have to use wildcard certs, unless you need unmapped subdomains for some reason.

    Though after reading the thread your issue with it becomes more apparent. Unfortunately I don't think I have a solution for it based on the way that apache functions in this instance. They assume a VirtualHost for every domain over SSL. You might find Apache's documentation on this interesting here: NameBasedSSLVHosts - Httpd Wiki
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice