0

Under normal circumstances, setting up an apache reverse proxy with a letsencrypt exception for /.well-known is easily done with ProxyPass /.well-known ! It seems to become much more difficult (something which I happen to have easily solved in nginx) to configure this exception along with ip restrictions for the backend:

<VirtualHost *:80>
  ServerName example.com
  DocumentRoot /var/www/html
  Redirect / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
  DocumentRoot /var/www/html

  ErrorLog ${APACHE_LOG_DIR}/bfp-all_error.log
  CustomLog ${APACHE_LOG_DIR}/bfp-all_access.log combined

  RewriteEngine On
  RewriteCond %{HTTP:Connection} Upgrade [NC]
  RewriteCond %{HTTP:Upgrade} websocket [NC]
  RewriteRule /(.*) ws://localhost:8050/$1 [P,L]



  ProxyRequests Off
  ProxyPreserveHost On
<Location />
    ProxyPass "http://localhost:8050/"
    ProxyPassReverse "http://localhost:8050/"
    Require ip 10.0.0.0/24
    Require ip 192.168.0.0/24
</Location>
</VirtualHost>

I tried using Alias and (and also the directory, which seems to be already quite redundant) before the section but the requests keep going to the backend:

DocumentRoot /var/web/letsencrypt
Alias /.well-known /var/web/letsencrypt/.well-known
  <Directory /var/web/letsencrypt/.well-known>
           Options -Indexes
           Require all granted
  </Directory>
  <Location /.well-known>
        ProxyPass !
        Require all granted
  </Location>

Any ideas how I could solve this? I would have expected it to be a problem people do come across from time to time, but I haven't found anything on the internet.

Lethargos
  • 545

1 Answers1

0

In this case the "reason" for letting the request through to the backend is because the RewriteRule with [P] bypasses the Location block with the ProxyPass directives (and any possible location block within its match). So both they and the Require rules in it will be ignored and the requests will be proxied for all ip addresses.

If you leave out the RewriteRule and put the ws://localhost:8050/ in the ProxyPass rules in the <Location> section, it would work as intended. The most specific Location block will win in the configuration merge where it concerns the Require setting and ProxyPass setting. If a more unspecific Location block has set a Require or ProxyPass you can override that with a new one in the most specific Location block.

The websocket proxy itself will already block requests without Upgrade headers.

From Apache 2.4.19 it is possible to put the .well-known Alias straight in the Location block, leaving out the first argument.

Gerrit
  • 1,650