3

Recently I noticed that a new line was added in the htaccess file in several locations throughout the file. 

RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?

I don't understand what it does, and I would like clarification if possible for its purpose.

An example of how it appears is shown in this example below.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Thank you in advance.

Kenneth Poveda Mata
  • 59

2 Answers2

6

This isn't really a complete answer, as I can't comment specifically on how/where Ballot169 fits into the bigger scheme of things. However, I can comment on "what it does". It does seem a bit odd though...

In general, these RewriteCond directives are used to create exceptions so that when SSL certs are auto-renewed, the necessary validation file can be accessed unencumbered. See my answer to the following ServerFault question for more on this:

RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?

Since the last part of the regex (?:\ Ballot169)? is entirely optional and there is no trailing end-of-string anchor (ie. $) then this last part that checks Ballot169 is entirely superfluous and can be removed! (This "looks like" an error with the regex, unless it is an attempt to inject a comment/trackable token in the code?) So, this is the same as simply:

RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/

In other words, it's checking that the URL-path does not start with /.well-known/pki-validation/.

Consequently, this makes the preceding condition that checks against "Comodo" along the same URL-path redundant.

In Googling, this particular directive does crop up as-written in other places, such as this StackOverflow question from January 2019.

"Ballot 169" would seem to refer to this:

Kenneth Poveda Mata
  • 59
MrWhite
  • 13,315
1

@MrWhite I appreciate your guidance on how to respond, add more context etc, and per your suggestion I am answering my question so you can add your comments to it, thank you.

<:>:<:>:<:>:<:>:<:>:<:>:<:>:<:>:<:>:<:>:<:>:<:>

After your answer I contacted the hosting company, the representative only said that it was part of the SSL certificate at first, I kept asking him what is the purpose and its function, the only thing he said was "it all has to do with how the certificate was installed", when I kept pushing he backtracked on that comment saying it was not important.

The way you broke down the directive and how it works for me, and from the other answer that you linked that says "other people have labeled this particular set of rules as some sort of DDOS protection", got me thinking, so I did a search on 'well-known hack' which came up with this:

https://www.zscaler.com/blogs/research/abuse-hidden-well-known-directory-https-sites

So your analysis makes me think that protection of the certificate and possibly the directory is what that line does by either blocking or redirecting such requests, correct me if I am wrong.

Again I became curious and started downloading access logs and searching through them for 'well-known' entries, to be honest I didn't know if those were common (as in there always, but I never paid attention to them) or not common, and this is what I found.

  • On February there were a total of 280 entries in the access logs that looked similar to this line below, the string of numbers after /acme-challenge/ is different for all of them, and the majority point to ip addresses from Cloudflare (the website uses Cloudflare, so I am not sure if this is important to mention or not).

"GET /.well-known/acme-challenge/Z152-H592V1UDY0PWBCKU3GEO5L6-3DQ HTTP/1.1" 200 64 "-" "Cpanel-HTTP-Client/1.0"

  • On March no entries at all, but they started showing again for this month of April which also coincides with the new line being added, and so far there are around 145 entries for 'well-known'.

  • Worth noting that this particular website uses the free ssl from Cloudflare not the one from Let's Encrypt

  • And last but not least, from 3 different accounts that I have access to and using the same hosting company only in 1 of them is where that line is being added to the .htaccess file.

Mr. White thank you so much as always for your insight, if I do find any additional information I'll post it here.

Kenneth Poveda Mata
  • 59