Join Log in
Score:0
avatar Server

Path not excluded by mod_rewrite config

ws flag
symcbean

I am trying to roll my own vhost config to handle certbot/letsencrypt. I want to redirect anything other than requests to /.well-known to HTTPS. But the exception for .well-known is not working; requests for http://www.example.com/.well-known/ return a 301 redirect to https. I have anonimized the hostname in the code below.

Note that I came across this post/answer before posting here - and the accepted answer there describes (I believe) the first of the configurations I have tried below - which makes me think this is not a duplicate.

<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName www.example.com

    RewriteEngine on
    RewriteCond %{HTTPS} !=on
    # RewriteRule ^(\.well-known) - [END]
    RewriteCond %{REQUEST_URI} !^\.well-known
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

    # additional auth config elsewhere, hence....
    <Location /.well-known/ >
        Require all granted
    </Location>
</VirtualHost>

As indicated by the commented line above, I also tried:

    RewriteRule ^(\.well-known) - [END]
    # RewriteCond %{REQUEST_URI} !^\.well-known
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

There is no .htaccess file on the path, but just to make sure, I disabled all the rewrite instructions and got HTTP 200 responses both for /.well-known/ and other requests. I am testing using curl -I so browser caching of 301's is not a consideration. After each change I have run a ful restart of httpd, not just a reload.

This is httpd-tools-2.4.6-99 on Centos 7.

How can I override a default redirect?

27
2 + 0
Score:2
avatar Server
jp flag
Esa Jokinen

You are missing the leading /, i.e., you are using !^\.well-known instead of !^/\.well-known. It would probably be best to add the tailing /, too, to match the contents on that directory alone: !^/\.well-known/.

Still, the example on Daniel Ferradal's answer is a more correct way to achieve the same.

On the other hand, because this is for Let's Encrypt's HTTP-01 challenge, you would not need this condition at all:

Our implementation of the HTTP-01 challenge follows redirects - - When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).

+ 0
Score:1
ezra-s avatar Server
ru flag
ezra-s

I would try to do it more simple.

With mod_alias loaded (no need for mod_rewrite in your example, I tend to not use mod_rewrite unless it is really necessary) and also use directory not location for real directory paths, also no need to quote paths.

I believe a much simpler example would do what you want:

<VirtualHost *:80>
    DocumentRoot /var/www/html
    ServerName www.example.com

    RedirectMatch ^/(?!\.well-known)(.*) https://yourdomain.example.com/$1
    <Directory /var/www/html/.well-known>
        Require all granted
    </Directory>
</VirtualHost>
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.