letsencrypt exception on apache reverse proxy along with ip restrictions
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
That is to say, outside the "Location" section (which means that I explicitly write the path of the ProxyPass and ProxyPassReverse, as it is no longer implicit). The problem is that I wouldn't be able to integrate the IP restrictions, which I would like to have only for the proxied backend and I would leave the /.well-known location accessible.
You could use mod_rewrite to send requests from your internal networks to the proxied backends unmodified, and everything else to the file Let's Encrypt uses to verify domain ownership. Unless you are running a super high traffic site where you need to squeeze every bit of performance out of it, it should do the job.
I find the solution a little bit ambiguous. So what you're saying is that I should add rewrite rules for each of network address? There must be a clearer and cleaner way of doing this, but maybe I'm wrong. But if you're willing to be more explicit, then I'll give it a try.
On the one hand, I have a long list of IPs that I need to give access to. On the other hand, I don't see how the rule would work anyway, as the letsencrypt_uri is going to be example.com/.well-known, which doesn't really help me in this context, as it's going to go to the backend anyway, so that the letsencrypt requests are going to end up accessing http://localhost:8050/.well-known instead.
I don't understand why it wouldn't work with an Alias and/or with another Location for /.well-known. I tried it, but it doesn't seem to have any effect. I added the following before <Location />
Code:
Alias "/.well-known" "/var/web/letsencrypt"
<Directory "/var/web/letsencrypt">
Require all granted
</Directory>
I was able to do it in nginx so easily while also including ip restriction in another location:
Code:
location /.well-known {
alias /var/www/html/.well-known;
}
location / {
include allowed.ips; # restrict access to certain IPs
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://mybackend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# This allows the ability for the execute shell window to remain open for up to 15 minutes. Without this parameter, the default is 1 minute and will automatically close.
proxy_read_timeout 900s;
}
I don't understand why it wouldn't work with an Alias and/or with another Location for /.well-known. I tried it, but it doesn't seem to have any effect. I added the following before <Location />
I'm glad you got it to work with Nginx. It has been a while since I have used Let's Encrypt for a machine on my network. Right now, I am only using Let's Encrypt for shared hosting. I would think adding another location block like you said would work. I've never used Apache for reverse proxying, I've always used HAProxy.
I just thought of something you might be able to do if you really want to use Apache. I wonder if it would work if you were to configure a virtual host for Let's Encrypt, then setup another location block that uses it as a back end?
Maybe I was a little bit misleading. I had the solution for nginx from the very beginning, but it's important to find it on apache, because this is what we're currently using in some setups and there are still many configurations that I find a little bit dificult to transfer to nginx - I still need to understand how I would go about doing that.
So basically two <VirtualHost> sections, one for let's encrypt and the other for the backend? I don't see how anything good could come out of this, but I could give it a try, I guess. I expect that the first one takes precedence over the second one, and so the second wouldn't be accessible anymore.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.