Apache

apache1234 · 04-13-2016, 02:43 AM

Hello,

I want to redirect any request for http to https. This works fine.

But when the local IP tries to open http-URL it should not be redirected to https - I need this for letsencrypt renewing script.

Is there a way to change the RewriteCond that the locally IP will not be redirected?

Code:

<VirtualHost ...>
.
.
.
.
  <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    LogLevel alert rewrite:trace3
  </ifmodule>
.
.
.
.
</VirtualHost>

TenTenths · 04-13-2016, 03:26 AM

I've never had to do anything special with redirections based on IP for letsencrypt.

You don't mention which method of set-up you used but I used the "--webroot" method with .htaccess to do the http>https redirection like this:

Code:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://mydomain.com/$1 [R,L]
</IfModule>

I renew certs with this method:

Code:

letsencrypt certonly --keep-until-expiring --webroot -w /path/to/public_html -d mydomain.com,www.mydomain.com

What problems are you getting?

apache1234 · 04-13-2016, 03:40 AM

When I try to renew the certificate the letsencrypt script treis to access to http://mydomain.com/.well-known.... and to http://www.mydomain.com/.well-known....

When now http will be redirected to https the files in the acme-challenge directory can't be found by the script. So I thought it would be the easiest way not to redirect to https when the request comes from the locally IP.

bathory · 04-13-2016, 04:24 AM

Quote:

Is there a way to change the RewriteCond that the locally IP will not be redirected?

Yes, add another RewriteCond for the IP you want to exclude:

Code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REMOTE_ADDR} !^x.x.x.x
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Regards

TenTenths · 04-13-2016, 09:43 AM

Quote:

Originally Posted by apache1234

When I try to renew the certificate the letsencrypt script treis to access to http://mydomain.com/.well-known.... and to http://www.mydomain.com/.well-known....

You are mistaken. The letsencrypt.org server tries to access the files, not the local script.

Quote:

Originally Posted by apache1234

When now http will be redirected to https the files in the acme-challenge directory can't be found by the script. So I thought it would be the easiest way not to redirect to https when the request comes from the locally IP.

As per above the verification request does not come from the local IP see below.

From the access_log

Code:

66.133.109.36 - - [13/Apr/2016:15:37:39 +0100] "GET /.well-known/acme-challenge/[REMOVED] HTTP/1.1" 302 299 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Code:

# nslookup 66.133.109.36
Server:         8.8.8.8
Address:        8.8.8.8#53
Non-authoritative answer:
36.109.133.66.in-addr.arpa      canonical name = ip36-109-133-66.letsencrypt.org.
ip36-109-133-66.letsencrypt.org name = outbound1.letsencrypt.org.

apache1234 · 04-13-2016, 12:05 PM

Ok thx.

I only assumed this - I did not look into the logfiles.

But the letsencrypt only check this files via http instead of https.

When a new certificate will be requested by the script it only can happen via http but while renewing it also could work via https!
But I believe that the letsencrypt IP addresses will change from time to time.

Then my script must disable the redirecting before renewing or filtering by the browser-agent but this also could be faked very easily. :-(

TenTenths · 04-14-2016, 11:06 AM

Last couple of posts in this thread http://www.linuxquestions.org/questi...pt-4175577334/ may be helpful.