How to Configure Apache Virtual Hosts

What changed in Apache 2.4

The old NameVirtualHost directive is gone. Any IP/port pair you Listen on can host name-based virtual hosts; Apache selects a <VirtualHost> using the request’s IP/port tuple and the HTTP Host header (or TLS SNI during handshake for HTTPS). Misunderstanding default-vhost ordering is still one of the most common causes of “wrong site” bugs after migrations.

How Apache picks a vhost

Find all <VirtualHost addr:port> blocks matching the local socket endpoint (for example *:443 or 203.0.113.5:443).
If the request is TLS, use SNI server name to choose among TLS vhosts on that endpoint.
For HTTP/1.1, compare Host against each candidate’s ServerName and ServerAlias (wildcard patterns allowed).
If no name matches, Apache uses the first listed vhost for that IP/port as the default—make that behavior intentional (catch-all, maintenance page, or 444-style close).

Minimal TLS and plain-HTTP pair

<VirtualHost *:80>
  ServerName www.example.com
  ServerAlias example.com
  Redirect permanent / https://www.example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName www.example.com
  DocumentRoot /var/www/example/html
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Certificate SANs must cover every name in ServerAlias served on that socket. Details: Apache SSL configuration.

ServerName, ServerAlias, and useCanonicalName

ServerName sets the canonical hostname for redirects the server generates itself (for example mod_dir trailing-slash redirects). ServerAlias accepts space-separated names, IP literals on rare layouts, and *.example.com-style wildcards where supported. UseCanonicalName On makes self-referential URLs prefer ServerName—useful behind stable public names; mis-set values behind split-horizon DNS can generate links clients cannot resolve.

Directive	Role
`ServerName`	Primary vhost identity; should match public DNS and TLS CN/SAN
`ServerAlias`	Alternate Host headers accepted in this block
`ServerAdmin`	Email or URL in auto-generated error pages—avoid personal inboxes in production

IP-based vs name-based vhosts

Name-based vhosts share an address; differentiation depends on Host/SNI. IP-based layouts bind different addresses per site (<VirtualHost 203.0.113.10:443>)—still need valid certs unless clients use legacy non-SNI TLS (rare). Mixed wildcard and specific vhosts require careful ordering; when in doubt, test with curl -v --resolve and OpenSSL s_client -servername.

IPv6 and dual stack

Typical dual-stack listens:

Listen 80
Listen [::]:80
Listen 443
Listen [::]:443

Match <VirtualHost *:443> with distro guidance—some sites use explicit <VirtualHost [::]:443> blocks when separating v6-only policy. Link-local clients need zone indices in URLs outside Apache, but vhost matching still keys on global addresses on the wire.

Protocol and HTTP/2

Declare ALPN protocols inside the TLS vhost:

Protocols h2 http/1.1

Compatibility with MPM and module set is distribution-specific—validate after upgrades. Background: Apache configuration fundamentals and performance tuning.

Enterprise layout

One file per site under sites-available/, enabled via symlink, owned by root and deployed through CI. Pair vhost changes with apachectl configtest and a graceful reload. Document which vhost is default per socket for on-call. SELinux: label DocumentRoot trees with httpd_sys_content_t; separate writable upload trees with a more restrictive type where policy allows.

False positives

Clients without SNI (very old libraries) may always see the default TLS vhost—if logs show mysterious cert name mismatches, capture TLS ClientHello features before blaming application code.

For a given IP/port, if no ServerName/ServerAlias matches the Host header (HTTP) or SNI name (HTTPS), Apache serves the first VirtualHost in the merged configuration for that bind specification. Order depends on file include order—treat the default vhost as a deliberate choice.

Every hostname the client may send in Host or SNI must appear in the certificate’s SAN (or match a covered wildcard). Browser warnings appear before HTTP-layer redirects can fix mismatched names.

Use curl --resolve www.example.com:443:127.0.0.1 https://www.example.com/ to pin name to an IP for that invocation, or add temporary /etc/hosts on a jump host. For TLS, openssl s_client -connect IP:443 -servername www.example.com shows the served chain.

On many distributions, *:443 listens on both address families when separate Listen [::]:443 exists. Verify with apachectl -S (shows vhost map) and ss -tulpn. Use explicit [::]:443 blocks only when your layout requires different policies per family.

Use consistent canonical names across :80 (redirect) and :443 (content) so generated redirects and cookies align; pick one HTTPS hostname and redirect all aliases to it.

Different DocumentRoot paths may lack httpd_sys_content_t or httpd_sys_rw_content_t where uploads are expected—POSIX chmod alone will not fix AVC denials.

A parsed summary of all VirtualHost definitions, default vhosts per port, wildcard status, and name collisions—run after edits before reload.

_default_ is a legacy catch-all pattern; modern 2.4 deployments usually rely on explicit ordering instead—document behavior if you inherit older configs.

What changed in Apache 2.4

How Apache picks a vhost

Find all <VirtualHost addr:port> blocks matching the local socket endpoint (for example *:443 or 203.0.113.5:443).
If the request is TLS, use SNI server name to choose among TLS vhosts on that endpoint.
For HTTP/1.1, compare Host against each candidate’s ServerName and ServerAlias (wildcard patterns allowed).
If no name matches, Apache uses the first listed vhost for that IP/port as the default—make that behavior intentional (catch-all, maintenance page, or 444-style close).

Minimal TLS and plain-HTTP pair

<VirtualHost *:80>
  ServerName www.example.com
  ServerAlias example.com
  Redirect permanent / https://www.example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName www.example.com
  DocumentRoot /var/www/example/html
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Certificate SANs must cover every name in ServerAlias served on that socket. Details: Apache SSL configuration.

ServerName, ServerAlias, and useCanonicalName

Directive	Role
`ServerName`	Primary vhost identity; should match public DNS and TLS CN/SAN
`ServerAlias`	Alternate Host headers accepted in this block
`ServerAdmin`	Email or URL in auto-generated error pages—avoid personal inboxes in production

IP-based vs name-based vhosts

IPv6 and dual stack

Typical dual-stack listens:

Listen 80
Listen [::]:80
Listen 443
Listen [::]:443

Protocol and HTTP/2

Declare ALPN protocols inside the TLS vhost:

Protocols h2 http/1.1

Compatibility with MPM and module set is distribution-specific—validate after upgrades. Background: Apache configuration fundamentals and performance tuning.

Enterprise layout

False positives

Clients without SNI (very old libraries) may always see the default TLS vhost—if logs show mysterious cert name mismatches, capture TLS ClientHello features before blaming application code.

Every hostname the client may send in Host or SNI must appear in the certificate’s SAN (or match a covered wildcard). Browser warnings appear before HTTP-layer redirects can fix mismatched names.

Use consistent canonical names across :80 (redirect) and :443 (content) so generated redirects and cookies align; pick one HTTPS hostname and redirect all aliases to it.

Different DocumentRoot paths may lack httpd_sys_content_t or httpd_sys_rw_content_t where uploads are expected—POSIX chmod alone will not fix AVC denials.

A parsed summary of all VirtualHost definitions, default vhosts per port, wildcard status, and name collisions—run after edits before reload.

_default_ is a legacy catch-all pattern; modern 2.4 deployments usually rely on explicit ordering instead—document behavior if you inherit older configs.

How to Configure Apache Virtual Hosts

What changed in Apache 2.4

How Apache picks a vhost

Minimal TLS and plain-HTTP pair

ServerName, ServerAlias, and useCanonicalName

IP-based vs name-based vhosts

IPv6 and dual stack

Protocol and HTTP/2

Enterprise layout

False positives

Frequently Asked Questions

Q.Is the first VirtualHost really the default for a Listen socket?

Q.How should ServerAlias relate to TLS certificates?

Q.How do I test vhost selection without changing public DNS?

Q.What is the IPv6 pattern with VirtualHost *:443?

Q.Should HTTP and HTTPS share the same ServerName?

Q.Why does SELinux break only one vhost?

Q.What does apachectl -S show?

Q.Can I mix _default_ VirtualHost with name-based hosts?

How to Configure Apache Virtual Hosts

What changed in Apache 2.4

How Apache picks a vhost

Minimal TLS and plain-HTTP pair

ServerName, ServerAlias, and useCanonicalName

IP-based vs name-based vhosts

IPv6 and dual stack

Protocol and HTTP/2

Enterprise layout

False positives

Frequently Asked Questions

Q.Is the first VirtualHost really the default for a Listen socket?

Q.How should ServerAlias relate to TLS certificates?

Q.How do I test vhost selection without changing public DNS?

Q.What is the IPv6 pattern with VirtualHost *:443?

Q.Should HTTP and HTTPS share the same ServerName?

Q.Why does SELinux break only one vhost?

Q.What does apachectl -S show?

Q.Can I mix _default_ VirtualHost with name-based hosts?