HTTP Port open to the whole world - Security suggestions

Hi All

I’m new here and asking myself, how i can use a reverse proxy to filter http commands to the apache 2 server (open HTTP Port). Cause of security concerns lets encrypt whants not to give their ip subnet to allow on the firewall rule only that subnet to access the http port on my server. So, which command should i only allow for the reneval process? And, is it possible to know, if the servers are only in north america? So i can make geo ip.

Thanks for any help. It is realy appreciated.

Best, Fabius

1 Like

There are many reasons to leave port 80 open:

There are also other challenge types (for those who can’t use port 80):

My suggestion is:

2 Likes

Tnx. I already looked into. I have to look what the verification process needs. Best, Fabius

2 Likes

The last link details the absolute minimum required to get LE to validate via HTTP.
As for:

They are not only in any single part of the world.
[and they can be moved at any moment]
So, although Geo protection is good, it should NOT be applied to HTTP.
(For the security conscious) HTTP should be run separately from the HTTPS systems.

2 Likes

Hi @fabius,

As @rg305 said (and linked to), we don’t publish our validation IP addresses because we intend to change them over time, and in fact we have an upcoming launch planned where we will validate from multiple points of view (in multiple parts of the world) simultaneously. I recommend you simply allow access to your HTTP port from the whole world. Millions of web servers do this. You just need to keep up with your software updates.

If you try to firewall validation access to allow only certain IP addresses, it’s likely that future renewals will fail.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.