I’ve noticed that some configuration files for nginx and letsencrypt have these lines:
# Hide /acme-challenge subdirectory and return 404 on all requests.
# It is somewhat more secure than letting Nginx return 403.
# Ending slash is important!
location = /.well-known/acme-challenge/ {
return 404;
}
Can someone explain to me why this is more ‘secure’? Is it just because you don’t want random people viewing the ‘acme-challenge’ directory? Is it only relevent if you have autoindex on?
Along the same lines – are there any other ‘gotchas’ I have to look out for security wise?
I don’t think it has anything to do with being hidden as such, but /.well-known/ is a somewhat-standardized location for a number of services (it’s also used by email autodiscovery, for one example). See RFC 5785.
I think @jdwissler was asking about the motivation for the return 404 in this configuration more than about why /.well-known starts with a dot. And I’d also say it’s just someone’s general intuition not to let people see information that wasn’t explicitly intended for them; as @_az mentioned, the contents of this directory in the way that it’s used by Let’s Encrypt won’t actually contain any secrets.