I’m new here and asking myself, how i can use a reverse proxy to filter http commands to the apache 2 server (open HTTP Port). Cause of security concerns lets encrypt whants not to give their ip subnet to allow on the firewall rule only that subnet to access the http port on my server. So, which command should i only allow for the reneval process? And, is it possible to know, if the servers are only in north america? So i can make geo ip.
The last link details the absolute minimum required to get LE to validate via HTTP.
As for:
They are not only in any single part of the world.
[and they can be moved at any moment]
So, although Geo protection is good, it should NOT be applied to HTTP.
(For the security conscious) HTTP should be run separately from the HTTPS systems.
As @rg305 said (and linked to), we don’t publish our validation IP addresses because we intend to change them over time, and in fact we have an upcoming launch planned where we will validate from multiple points of view (in multiple parts of the world) simultaneously. I recommend you simply allow access to your HTTP port from the whole world. Millions of web servers do this. You just need to keep up with your software updates.
If you try to firewall validation access to allow only certain IP addresses, it’s likely that future renewals will fail.