Apache SSL and Share Servers problem with nonssl sites

Last October, I ran into a pretty big set of problems with all of my web sites and this necessitated a complete re-think of my site layout and methods of publishing content.

During this process my entire site was moved to a new IP address and my existing SSL site here on Afterburner1 made the journey with no troubles… Or so I thought.

I am pretty careful about analyzing my logs and I noticed a sharp uptick in traffic and after a few weeks, I realized that there was a problem. I couldn’t figure out what was causing all these visits to my site and they were all very short visits.

I suspected spammers and tried a few things to no avail. And then, quite by accident, I discovered that my site content was showing up on all sorts of web sites, coincidentally ALL with the same IP address my site  has when doing an nslookup on them.

As you can see below, my content was showing up on sites that had nothing to  do with mine. I coined the term “ghost content” since the page were NOT being hosted with this content. It was only showing up on Google.

What I discovered was that my provider had the issue (and it seems to be a common theme with many other hosting providers as well). It seems that the shared servers like the one I reside on, host more than one client, all off a single I.P. address. And while this is quite normal, what was NOT normal was that I had an SSL certificate that was the first one on the list of sites for that particular server.

My provider decided to tell me after some days of prodding as to what the cause was. It seems that if an web site does NOT use SSL certificates on a shared server, then anytime someone or something like a search engine visits that site with https://somesitename.com then they get directed to the alphabetically first VALID SSL site on the shared server. In this case, it was MY site – This site you are on.

And the fun wasn’t over. My provider informed me this morning that the ONLY way to fix this was to have me shell out $24 to go to a separate IP address on my OWN server. I was more than angry at this exchange because it meant that I would leave the server to solve MY problem and it would be dumped on someone else and the cycle would continue.

I grumbled about it and then decided to tell them to go fly a kite. And I decided to think through the problem. After running some tests, it occurred to me that when visiting one of these site on the same server as me and then using https to get to their URL, that I was able to see their hostname when it got dumped into my site root.

So, I went and made a new domain at 1anossl.net and created a landing page with information about the problem. But I needed to do something in .htaccess and decided to fail ALL https requests to my site that did NOT use my domain.

I created the following rule to be placed in my site .htaccess file:

# Send all hosts that do NOT match my address to the purgatory where they belong
# This is done because my SSL cert is the first one on the shared server. So,
# These people will be sent to the 1anossl.net page.
RewriteCond %{HTTP_HOST} !^(www\.)?afterburner1\.com [NC]
# Return a failed request and tell the source that the content is gone "G"
RewriteRule .* - [F,G]

So, after some work to make it all work as intended, I released the code and voila! Any http host on my shared server whose site is visited with https is rewarded with a failure to connect to the page via error code 410 as a result of the RewriteRule I installed.

Note: As of March 2018, I realized I needed to add some additional code. Visit this page to see the new additions.

To learn more, visit 1anossl.net  and if you happen to be on a shared server and are seeing the same issues I was having, you now know what to do! Contact me if you have any questions!

— Jon