Join Log in
Score:1
Eddie Rowe avatar Server

Apache: How to "hide" a subdomain but serve over https

cn flag
Eddie Rowe

I will freely admit my ignorance - or perhaps enough knowledge to be dangerous.

I have a subdomain http://db.<mydomain>.com that serves the phpMyAdmin utility. It's currently in a directory with an Apache directive to require a valid-user from .htaccess which made sense at the time, because I don't want to expose the phpMyAdmin login page to the general public.

The problem this created was trying to use cert-bot to create SSL certs for my site, it can't validate the ACME challenge because the challenge can't get past the .htaccess restriction.

How can I simultaneously serve this subdomain over https while also requiring an additional layer of security before a user can see the phpMyAdmin login page?

   <VirtualHost *:80>
        ServerName db.<mydomain>.com
        ServerAlias www.db.<mydomain>.com
        DocumentRoot /var/www/subdomains/db/phpMyAdmin
    </VirtualHost>
    <Directory "/var/www/subdomains/db">
        Options Indexes FollowSymLinks ExecCGI
        Order allow,deny
        Allow from all
        AuthType Basic
        AuthUserFile "/var/www/.htpasswd-users"
        require valid-user
    </Directory>
135
3 + 0
ssl
Score:2
vidarlo avatar Server
ar flag
vidarlo

There's at least three ways to solve this:

  1. Use the DNS challenge, requiring no HTTP connection
  2. Disable basic auth for .well-known/-path which is used by certbot.
  3. Use the standalone module of certbot. This will lead to 10-20 seconds of downtime
+ 0
Score:0
Romeo Ninov avatar Server
in flag
Romeo Ninov

One possible way is to add access restrictions for the virtual host like this:

<Directory "/www/docs/db">
    <RequireAll>
        Require ip <localip> <certbot host-name>
    </RequireAll>
</Directory>

For more information about Require directive you can visit Apache doc.

+ 3
vidarlo avatar
ar flag
vidarlo
LE doesn't publish the IP's they come from, and they publicly state the addresses are subject to change without notice. This is mentioned in [their FAQ](https://letsencrypt.org/docs/faq/) under *What IP addresses does Let’s Encrypt use to validate my web server?*
1
Reply
Romeo Ninov avatar
in flag
Romeo Ninov
@vidarlo, hostname is also acceptable in this case.
0
Reply
vidarlo avatar
ar flag
vidarlo
They don't use reverse DNS either. There's simply no reliable way to whitelist them based on address. In addition, there's no reason to do it this way.
0
Reply
Score:0
avatar Server
kz flag
MrWhite 
<Directory "/var/www/subdomains/db">
    Options Indexes FollowSymLinks ExecCGI
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthUserFile "/var/www/.htpasswd-users"
    require valid-user
</Directory>

You should remove the Order and Allow directives. These are the old-style Apache 2.2 directives and are formerly deprecated on Apache 2.4 and are likely to cause conflicts (but they aren't required anyway).

Although curious why you have a <Directory> section for /var/www/subdomains/db, yet the DocumentRoot is defined as /var/www/subdomains/db/phpMyAdmin?

Then add an additional <Directory> section for the /.well-known/ file-path in which you allow unrestricted access - so the certbot can "validate the ACME challenge". For example:

<Directory "/var/www/subdomains/db/phpMyAdmin/.well-known">
    Require all granted
</Directory>
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.