Problem with proxy and let's encrypt (no plugin)

  • In theory, when you chose to proxy your site to another server, the strings .well-known and errors don't have to be proxied.
    I tried, but every time I choose proxy mode in imscp, it will forward all the strings included \.well-known.

  • badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • i-MSCP 1.3.16
    Build: 20170107
    Codename: Horner


    Step to reproduce problem:
    - create new domain, don't enter proxy now (if you set as proxy at this stage imscp will not create the folder)
    - configure the domain as proxy vs backend application server (internet <-> imscp frontend <-> application server)
    - make a request to configured domain like http://www.yourdomain.ltd/.well-known/acme-challenge/blablabla
    - the request will be forwarded to application server instead to be intercepted by imscp frontend


    If you need other information let me know, I will be glad to help you

  • configure the domain as proxy vs backend application server (internet <-> imscp frontend <-> application server)

    We need some clarification on that part.


    Also please, what is your application server? Do you have any .htaccess file in which a ruleset is defined for the /.well-known folder?


    Thank.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Application server back is an apache and no .htaccess is definied.


    WITH PROXY ENABLED
    [22/Mar/2017:10:31:46 +0100] "GET /.well-known/acme-challenge/thdyezcHPRcRoDk85kmPxSCCxpS2n7Pwxyn9kX0wWYc HTTP/1.1" 404 624 "-" "Mozilla/5.0


    WITHOUT PROXY
    [22/Mar/2017:10:32:38 +0100] "GET /.well-known/acme-challenge/thdyezcHPRcRoDk85kmPxSCCxpS2n7Pwxyn9kX0wWYc HTTP/1.1" 200 88 "-" "Mozilla/5.0


    The folder /.well-known/ is manually created with permission of folder on upper level

  • I don't see any problem in the log. The requests always goes to Apache2 (in both cases) and that is the expected behavior. So here, either you give us understandable information either we close that thread ;)


    Thank you for your understanding.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Yes, is going on the apache but is not going on the right folder in the imscp server.


    If I don't configure the proxy, the file from /.well-known/ folder it's back with a 200 (success) because it reside on imscp server in the right folder.
    If after the test on the previous row, I configure the proxy, the call to /.well-known/ is not forwarded to the application server and is back with a 404 (error).


    Try yourself if you have the same behavior

  • @m4rv1n00


    For the LetsEncrypt plugin, we also add the following to make it working:



    Try to do the same by adapting to your environment ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Yes, it is intercepted and blocked on forward with this
    ProxyPassMatch ^/((?!(?:\.well-known|errors)/).*)


    but after this only errors is redirect with this


    Alias /errors/ /var/www/virtual/xxxxx/errors/



    I added this


    Alias /.well-known/ /var/www/virtual/xxxxx/sub/htdocs/.well-known/
    <Directory /var/www/virtual/xxxxx/sub/htdocs/.well-known/>
    Require all granted
    </Directory>


    to work


    But this have to be made manually every time because of the scheleton.


    How about inlude the generic alias "/.well-known/acme-challenge/" in the "installation"?
    Because on how it is now, it intercept the call to the path but going in error if you don't have plugin.
    I understand plugin is enanched but in this case it will never work without this additional configuration because it is wrongly forbidden by ProxyPassMatch by default

  • But this have to be made manually every time because of the scheleton.


    How about inlude the generic alias "/.well-known/acme-challenge/" in the "installation"?
    Because on how it is now, it intercept the call to the path but going in error if you don't have plugin.
    I understand plugin is enanched but in this case it will never work without this additional configuration because it is wrongly forbidden by ProxyPassMatch by default

    I think that you don't really understand the real meaning of that directive...


    The ProxyPassMatch ^/((?!(?:\.well-known|errors)/).*) {FORWARD}$1 retry=30 timeout=7200 statement simply means that for any path starting by /.well-known/ or /errors/, we don't proxy. That is the expected behavior.


    In your case, the solution is to create the .well-known folder. For instance, /var/www/virtual/%domain%/htdocs/.well-known. Then, even if you proxy requests for %domain% elsewhere, the requests with path starting by /.well-known will be served by Apache directly. Resources will come from the /var/www/virtual/%domain%/htdocs/.well-known folder that of course must exists. Now, if you want automate the creation of that folder when creating new domains, you can always do the following:


    Shell-Script
    1. # mkdir /etc/imscp/skel/domain/htdocs/.well-known
    2. # mkdir /etc/imscp/skel/alias/htdocs/.well-known
    3. # mkdir /etc/imscp/skel/subdomain/htdocs/.well-known

    Certbot will create the acme-challenge inside the .well-known directory by itself when necessary.


    Again, that is the expected behavior. In our case, we add the alias (see my previous answer) because we use a common directory for ACME challenges. If you want do same (usage of a common directory for any ACME challenges), you must also add an alias. However we will not add a generic alias out-of-box. This is out of i-MSCP core concerns.


    Thread closed.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206