Exclude directory from mod_autoindex.c Options -Indexes

I have the following in my .htaccess:

# "-Indexes" will have Apache block users from browsing folders without a
# default document Usually you should leave this activated, because you
# shouldn't allow everybody to surf through every folder on your server (which
# includes rather private places like CMS system folders).
<IfModule mod_autoindex.c>
  Options -Indexes

However, this blocks access to the .well-known/acme-challenge directory (because it does not have an index file), which LetsEncrypt needs access to when using --webroot option. Does anyone know how I can exclude this .well-known/acme-challenge directory from the above code?

If I add in an index.html file to the .well-known/acme-challenge directory, then this solves the problem. However, this doesn’t seem like the ideal way to do it. What happens if letsencrypt deletes files from this directory, now or in the future, when I renew the certificate?

Hello @curt,

Sorry but I can’t see how Options -Indexes or Options +Indexes or have or not an index.html file in acme-challenge could affect to webroot method.

Let’s Encrypt needs to get a file from that dir that is not affected at all by Indexes option.


You’re right. Based on how that code is supposed to work, it should block users from accessing .well-known/acme-challenge if that directory does not have an index file, which is does not. However, I just tested it and it does not block.

Index just defines whether a request to the directory itself (without specifying a file path) should serve a list of all files in the directory (the directory index) or not. Requesting a specific file within .well-known/acme-challenge/ isn’t affected by this option in any way.

One can also put a LocationMatch block in the main configuration and block autoindexing for this location on all virtualhosts.