sanjom

Let's Encrypt .htaccess Conditions

Recommended Posts

Hey, I've used ProcessWire for a while now but not made an appearance in the forum yet :D I just wanted to share the solution to a small problem I came across with Let's Encrypt (free SSL service).

Let's Encrypt SSL certificates need to be renewed every few months to remain active. My web host does this automatically but needs access to a folder named ".well-known", which ProcessWire blocks by default because it starts with a dot. This results in a 403 error.

To work around this, just add the following line to your .htaccess file, around line 150:

RewriteCond %{REQUEST_URI} !^(/\.well-known)

It should be the first condition in the section titled "Access Restrictions: Keep web users out of dirs that begin with a period".

I also ran into another problem. Let's Encrypt accesses mail.example.com which is redirected to www.mail.example.com because I enabled the redirection in my .htaccess fie. So we need to exclude the mail sub domain from that rule using the following line as the second condition in the www-redirection section (around line 160):

RewriteCond %{HTTP_HOST} !^mail\. [NC]

I know it's quite a specific problem but maybe it'll help someone Googling the issue.

I was curious, is there any way of redirecting to the www-version without having to exclude all your sub domains? The only way I can think of involves explicitly writing out your domain name in the .htaccess file and redirecting whenever the %{HTTP_HOST} starts with that name. But obviously that would lead to a loss of generality.

  • Like 5

Share this post


Link to post
Share on other sites

Hi,

6 hours ago, sanjom said:

It should be the first condition in the section titled "Access Restrictions: Keep web users out of dirs that begin with a period".

As far as I know, since ProcessWire 3.0.29 we have RewriteRule "(^|/)\.(?!well-known)" - [F] there by default. See: https://processwire.com/blog/posts/pw-3.0.29/#summary-of-added-pull-requests

 

 

  • Like 5

Share this post


Link to post
Share on other sites

I'm still having an issue with this. Both with my older PW sites and my newer 3.0+ sites. I can see the rule in the htaccess, but .well-known is still blocked. Any ideas?

Share this post


Link to post
Share on other sites

Have you checked permission of .well-known??

Gideon

Edit: Just found this:

RewriteRule "(^|/)\.(?!well-known)" - [F]

to  .htaccess to section 12.

Share this post


Link to post
Share on other sites

I have not been having this kind of problem since 3.0.29.  My issue is I have the htaccess file  forcing https and that breaks the renewal process.  Currently I rename the htaccess to something like htaccess1, then do the renewal manually then rename the htaccess file back to normal.  Anyone have a tip on how I can still use the automated way with https?   Sorry to hijack this thread.

Share this post


Link to post
Share on other sites

I am using acme.sh with the webroot validation mode and don't have an issue with https for renewal.  However, I put this in my .htaccess in case I ever have to start from scratch.

  RewriteCond %{HTTP:X-Forwarded-Proto} =http
  RewriteCond %{REQUEST_URI} "!(^|/)\.well-known"
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

The interesting bit is the 2nd line, which effectively says "to redirect from http to https, the URI cannot match .well-known or anything/.well-known".

In the PW-installed .htaccess this is the #9 block of directives that redirects from http to https, not the #12 block of access control restrictions. The sense of the comparison with ".well-known" here is different than in block #12.  Additionally, the exact format of the 1st line will depend on how your web server frontend/load-balancer is configured.  Alternatives involve %{HTTPS}, %{HTTP:X-Forwarded-SSL}, %{HTTP:Forwarded}, etc, and you should not change whatever is already working for you in the 1st line.

Share this post


Link to post
Share on other sites

I'm currently having this problem on siteground. Running multisite pw the .well-known directory and files are not created, let alone accessible. If I create the directories in the pw/ directory and try accessing them directly I can browse to them, but if I use one of the multisite domains it will not find the directory in pw/ - should it be looking somewhere else? Do I need to alter the base directory for each multisite? They are currently all pointing at the pw/ directory.

Thanks!

Share this post


Link to post
Share on other sites
5 hours ago, gornycreative said:

If I create the directories in the pw/ directory and try accessing them directly I can browse to them, but if I use one of the multisite domains it will not find the directory in pw/ - should it be looking somewhere else? Do I need to alter the base directory for each multisite? They are currently all pointing at the pw/ directory.

There are different possible approaches, but this should work:

  • create a subdirectory in your web root for every domain, named exactly like the domain
  • make sure ownership is correct
  • add a rewrite rule in .htaccess before #12 that prepends the requested host name to the path:
  RewriteCond %{REQUEST_URI} ^/?\.well-known
  RewriteRule "(^|/)(.*)$" $1%{HTTP_HOST}/$2 [L]

  • start letsencrypt with webroot option pointing to /path/to/pw/domain-in-question for every domain
  • enjoy

 

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Jennifer Stock
      Greetings. I would like to restrict access to certain sections of my organization's ProcessWire site using pubcookie. We are rolling out Shibboleth authentication later this year but for now, it seems I can only make use of our institution's single sign-on routine by utilizing rules in an .htaccess file. 
      I am wondering if there is a way to ask PW to apply these rules to certain pages in the site, whether via template type or location in the page tree:
      AuthType UWNetID PubcookieAppID "MyApplication" require type staff faculty  
    • By dweeda
      I installed an SSL Certificate, then edited my .htaccess file:
        # -----------------------------------------------------------------------------------------------
        # 9. If you only want to allow HTTPS, uncomment the RewriteCond and RewriteRule lines below.
        # -----------------------------------------------------------------------------------------------
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
      by uncommenting out the Rewrite lines.
      Now I get 404 error pages when I try go to any .../processwire-master/<pagename>/
      This includes my admin page at .../processwire-master/processwire/, so i can't get into my admin.
      What else do I need to do?
    • By pwfans
      Hello,
      1. Anybody can help, why this htaccess (location in root) doesn't work at 3.0.98 ? it show 404
      RewriteEngine on RewriteRule ^(.*)$ /subdirectory/$1 [L] That rule works in 3.0.62
      It redirect root request to subdirectory processwire installation and hiding the subdirectory name in url.
      I have try to uncomment htaccess inside subdirectory processwire installation :
      RewriteBase /pw/ to RewriteBase /subdirectory/ Doesn't help, still 404 when open the site from root domain.
      2. Is there anyway to find processwire version from processwire files ? not from admin login page.
      Thank you.
    • By rareyush
      I moved my site to Google cloud platform and i am stuck some where.
      my homepage is working fine but when it comes to other pages it says 404 not found
      and when i add this on virtual host 
       
      <Directory "/var/www"> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> or <Directory "/var/www"> AllowOverride All </Directory>  
          I receive internal server error 
       
       
       
      I tried comment out this line to but still same thing 
      # RewriteBase /
      and
        # RewriteRule ^(.*)$ /index.php?it=$1 [L,QSA]
    • By joelplambeck
      Hi Guys,
      I'm trying to do my first migration to the customers existing server (IIS 10) . I ran the site as a subdirectory on my website for test purposes (everything works fine).
      Following the tutorial of Joss, I tryed the site on a local xampp server to make sure, it also works on a root directory. So far so good, everything works.
      Now I moved the files (from the xampp) to the customers server. The root/index page is shown but for every subpage i get 404 Errors...
      Hence I followed the troubleshooting guide for not working URLs:
      On the first sight, the .htaccess file is not recognized, therefore I contacted the host support. They said, it is recognized but not all modules are supported in the processwire .htaccess file. I did the "öalskjfdoal" test in the .htaccess file and didn't get a 500 Error.... BUT the rewrite rule from the hosts support, to proof the file is read, DID work... The support claims, they do not provide debugging... so basically the .htaccess file is recognized and working, but not throwing any errors (for whatever reason).
      Working rewrite rule (from support):
      RewriteEngine On RewriteBase / RewriteRule ^test\.asp$ index.html [NC,L] RewriteRule ^test\.html$ konzept.html [NC,L] RewriteRule ^test2\.html$ team.html [NC,L] The support said, a couple modules are not supported in the htaccess file, the supported ones are listed here: http://www.helicontech.com/ape/ (I think mod_rewrite is supported)
      As I do not completely understand what exactly is happening in the htaccess file, I'm stuck. I tried all suggestions I found regarding this topic on the forum, but none of them solved the problem.
       
      .htaccess.txt