Apache “Redirect” and http-01


#1

Is there any way to teach Apache httpd to globally exempt .well-known/acme-challenge/* URL paths from Redirect directives?

The END modifier to RewriteRule (new in httpd 2.4) achieves this effect for that directive, but I’ve been stumped to come up with a solution for the same exemption logic for Redirect.

For example, if a user has Redirect 302 / http://google.com/ in their .htaccess file, it’d be nice to have some way to teach Apache to ignore that directive if the URL is for an ACME challenge.

Thank you!


#2

Try RedirectMatch 302 ^(?!/\.well-known/acme-challenge/).* https://google.com$0


#3

That assumes a direct modification to the .htaccess file. I want a global configuration that prevents httpd from following Redirect when it matches the ACME challenge pattern.


#4

Could you take a hint from the way Certbot does it, and just Alias /.well-known/acme-challenge/ away from the user’s document root?


#5

I haven’t tried that, but isn’t Alias just about filesystem mapping? I don’t see how that would prevent Redirect from gumming up the authz.


#6

IIRC, in that case, the .htaccess file would never become involved, since the request is diverted before that point.


#7

A global alias precedes/overrides any vhost path manipulation.
.htaccess controls would be applied from within the new path only.


#8

Alias or AliasMatch might work. I’d still prefer to find a less intrusive option that wouldn’t upend user expectations about where their stuff is. We’d have to document the change for customers, and it would break any custom setups users might have put in place … but we’ll check it out.

Thank you!


#9

The .well-known/acme-challenge folder is a very specific location; which should only be used by ACME clients.
True, your clients may have used their specific acme-challenge locations in customized ways - but uncommon.
So a “global alias” may be more than you require and, yes, it could impact some custom customer scripts…
It seems that mod_alias can be used in the server config, virtual hosts, and directories (https://httpd.apache.org/docs/2.4/mod/mod_alias.html)
So I would use it within your controlled vhost configs and include it as a common file (wherever needed).
<virtual host>

include /etc/apache2/common.challenges.location

</virtual host>

Where /etc/apache/common.challenges.location contains:
<Location "/.well-known/acme-challenge">
Alias "/common/challenge/folder"
</Location>