In my view, port 80 should just redirect to 443.
But... it can [and should] handle the ACME challenge requests.
That said, I think it best to always proxy things first; So, the first hit is always the proxy.
It returns the redirections or proxies only the challenge requests.
[nothing "random" should reach the web server via port 80]
Also, the proxy is alone in its' own DMZ/VLAN.
Everything it does must be allowed.
I'm not sure we are there yet - where everything goes to 443 when 80 is not found.
[hopefully sooner than later]
I guess I have some negative association with mod_md and Apache.
Not sure why... I should revisit that realm and clear things up.
[one more item to the TODO list]
GodThe Internet IEEE gave us four thousand VLANs to use!
And I do my utmost to separate everything from everything else with IPS enabled firewalls [on steroids]
I am my own Big Brother watching over everything! LOL
Oh, we are there. Read the mod_md docs I'd linked above. mod_md fscking works.
Only one DMZ is needed, assuming you have zero-trust networks and use reverse SSH tunnels for needed services between VMs. NO CLEARTEXT ANYWHERE. For example my router has reverse SSH tunnels to my HTTPD server for 80 & 443, so it looks like ports 443 & 80 are local to the router, but get spanked directly to the httpd server.
So for outside requests the router reaches into its belly-button and pulls out the response from the httpd server to present to the outside.
Any compromise of the httpd server will be confined to that VM and not affect the router whatsoever. They are trapped in the VM due to zero-trust.
And besides, you can't have multiple DMZs without multiple outside lines, or else you're defeating the purpose..
Exactly.
We must do enough to be able to sleep at night.
And that I do [enough to sleep at ease - but, yet, I don't really sleep much - but I can! - LOL]
Haven't read that and don't have time as I have mission-critical stuff to work on. My sites work without the black screen, and have valid certs, so I am happy.
I am moving toward closing 80 once what I have now proves stable. Because I know it can be done.
For the benefit of future searchers know that a restart is not required for Apache to get the new certs created by mod_md. A reload is all that is needed.
The mod_md github docs have a very nice description of options: