By default SNI virtual hosting should by in modern Apache versions. You may optionally deny access to any browser that does not support SNI, so that instead of serving the default (first) virtual host to them, you serve a 403 error instead.
| Description: | Whether to allow non-SNI clients to access a name-based virtual host. |
|---|---|
| Syntax: | SSLStrictSNIVHostCheck on|off |
| Default: | SSLStrictSNIVHostCheck off |
| Context: | server config, virtual host |
| Status: | Extension |
| Module: | mod_ssl |
| Compatibility: | Available in Apache 2.2.12 and later |
This directive sets whether a non-SNI client is allowed to access a name-based virtual host. If set to on in the default name-based virtual host, clients that are SNI unaware will not be allowed to access any virtual host, belonging to this particular IP / port combination. If set to on in any other virtual host, SNI unaware clients are not allowed to access this particular virtual host.
This option is only available if httpd was compiled against an SNI capable version of OpenSSL.
# Ensure that Apache listens on port 443
Listen 443
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443
# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off
<VirtualHost *:443>
# Because this virtual host is defined first, it will
# be used as the default if the hostname is not received
# in the SSL handshake, e.g. if the browser doesn't support
# SNI.
DocumentRoot /www/example1
ServerName www.example.com
# Other directives here
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /www/example2
ServerName www.example2.org
# Other directives here
</VirtualHost>