In my view, port 80 should just redirect to 443.
But... it can [and should] handle the ACME challenge requests.
That said, I think it best to always proxy things first; So, the first hit is always the proxy.
It returns the redirections or proxies only the challenge requests.
[nothing "random" should reach the web server via port 80]
Also, the proxy is alone in its' own DMZ/VLAN.
Everything it does must be allowed.
I don't proxy nothin'.... another attack surface. Of course everyone automatically redirects 80 to 443 these days, in multiple ways, just out of rote.
I mean closing 80 entirely using nftables. mod_md will still function with the measure I've noted above and in the docs.
Any webserver/email server/bittorrent server, etc must be in the DMZ, mediated by a router VM.
I'm not sure we are there yet - where everything goes to 443 when 80 is not found.
[hopefully sooner than later]
I guess I have some negative association with mod_md and Apache.
Not sure why... I should revisit that realm and clear things up.
[one more item to the TODO list]
Is that singular?
Recall:
God The Internet IEEE gave us four thousand VLANs to use!
And I do my utmost to separate everything from everything else with IPS enabled firewalls [on steroids]
I am my own Big Brother watching over everything! LOL
Oh, we are there. Read the mod_md docs I'd linked above. mod_md fscking works.
Only one DMZ is needed, assuming you have zero-trust networks and use reverse SSH tunnels for needed services between VMs. NO CLEARTEXT ANYWHERE. For example my router has reverse SSH tunnels to my HTTPD server for 80 & 443, so it looks like ports 443 & 80 are local to the router, but get spanked directly to the httpd server.
So for outside requests the router reaches into its belly-button and pulls out the response from the httpd server to present to the outside.
Any compromise of the httpd server will be confined to that VM and not affect the router whatsoever. They are trapped in the VM due to zero-trust.
And besides, you can't have multiple DMZs without multiple outside lines, or else you're defeating the purpose..
I don't think I follow the restriction...
Here is the left side of "my desktop":
[pic removed]
VMs abound and VLANs a plenty.
That's dynamite. But it makes no sense to me, given the discussion.
I have several VMs in the DMZ and tons on the LAN side (although VLANs are pointless IMHO).
We are discussing DMZs/VLANs/isolation
Just showing how I have many while you only use one DMZ
Well... the pic doesn't show the VLAN info [true]
To each, his own.
Exactly.
We must do enough to be able to sleep at night.
And that I do [enough to sleep at ease - but, yet, I don't really sleep much - but I can! - LOL]
@Quantum what challenge of the Challenge Types - Let's Encrypt do you use?
(sorry, I couldn't figure it out; maybe the ACME Client implies DNS-01)
If you are using the HTTP-01 challenge you need Port 80.
Best Practice - Keep Port 80 Open
Haven't read that and don't have time as I have mission-critical stuff to work on. My sites work without the black screen, and have valid certs, so I am happy.
I am moving toward closing 80 once what I have now proves stable. Because I know it can be done.
For the benefit of future searchers know that a restart is not required for Apache to get the new certs created by mod_md. A reload is all that is needed.
The mod_md github docs have a very nice description of options:
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.