I have an apache2 reverse proxy which is proxying many services including zabbix and nextcloud, and applying a wildcard SSL certificate to said services. These are individual virtual hosts, though they all use the same CA-verified wildcard SSL cert. This is, in principle, working perfectly. The zabbix server and nextcloud servers are their own VM's, and if I load up "https://zabbix.domain.tld" OR "https://nextcloud.domain.tld" in firefox, everything is wonderful and I have no errors in the server logs.
However, if I load up firefox and open 2 tabs, one with "https://nextcloud.domain.tld" and one with "https://zabbix.domain.tld" my apache logs start showing the following errors:
[Tue Jul 18 14:15:31.891105 2023] [ssl:error] [pid 357025:tid 140406695503424] [client 10.#.#.#:59958] AH02032: Hostname nextcloud.domain.tld provided via SNI and hostname zabbix.domain.tld provided via HTTP have no compatible SSL setup
[Tue Jul 18 14:15:38.849413 2023] [ssl:error] [pid 357022:tid 140406779430464] [client 10.#.#.#:59962] AH02032: Hostname zabbix.domain.tld provided via SNI and hostname nextcloud.domain.tld provided via HTTP have no compatible SSL setup
In general, everything is working, but these are 2 sites I often leave up so my logs are getting spammed. Is this something I should worry about? I have not been able to find any counter-indications with my apache config. I have been worried that somehow the hostname of the reverse proxy is bleeding through but nothing I have been able to debug with online TLS checkers or various curl commands show anything?
Below is the zabbix config, which is ultimately the same thing as the nextcloud one:
<VirtualHost *:443>
ServerName zabbix.domain.tld
ServerAlias zabbix.domain.tld
ServerAlias *.zabbix.domain.tld
RequestHeader set X-SCHEME https
ProxyPass / https://10.2.2.202/
ProxyPassReverse / https://10.2.2.202/
# RewriteEngine on
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
SSLOptions +StdEnvVars
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.zabbix.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.zabbix.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/wildcard.domain.tld.crt
SSLCertificateKeyFile /etc/ssl/private/wildcard.domain.tld.key
SSLCACertificateFile /etc/ssl/certs/RapidSSL.Intermediate.crt
SSLHonorCipherOrder On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDS
A-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA25
6:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLInsecureRenegotiation off
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
SSLProxyEngine On
ProxyRequests On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>
