Home / server / Questions / 1140703
Accepted
symcbean
Asked: 2023-08-04 19:50:35 +0800 CST

Path not excluded by mod_rewrite config

  • 772

I am trying to roll my own vhost config to handle certbot/letsencrypt. I want to redirect anything other than requests to /.well-known to HTTPS. But the exception for .well-known is not working; requests for http://www.example.com/.well-known/ return a 301 redirect to https. I have anonimized the hostname in the code below.

Note that I came across this post/answer before posting here - and the accepted answer there describes (I believe) the first of the configurations I have tried below - which makes me think this is not a duplicate.

<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName www.example.com

    RewriteEngine on
    RewriteCond %{HTTPS} !=on
    # RewriteRule ^(\.well-known) - [END]
    RewriteCond %{REQUEST_URI} !^\.well-known
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

    # additional auth config elsewhere, hence....
    <Location /.well-known/ >
        Require all granted
    </Location>
</VirtualHost>

As indicated by the commented line above, I also tried:

    RewriteRule ^(\.well-known) - [END]
    # RewriteCond %{REQUEST_URI} !^\.well-known
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

There is no .htaccess file on the path, but just to make sure, I disabled all the rewrite instructions and got HTTP 200 responses both for /.well-known/ and other requests. I am testing using curl -I so browser caching of 301's is not a consideration. After each change I have run a ful restart of httpd, not just a reload.

This is httpd-tools-2.4.6-99 on Centos 7.

How can I override a default redirect?

apache-2.4

2 Answers

  1. Best Answer

    You are missing the leading /, i.e., you are using !^\.well-known instead of !^/\.well-known. It would probably be best to add the tailing /, too, to match the contents on that directory alone: !^/\.well-known/.

    Still, the example on Daniel Ferradal's answer is a more correct way to achieve the same.

    On the other hand, because this is for Let's Encrypt's HTTP-01 challenge, you would not need this condition at all:

    Our implementation of the HTTP-01 challenge follows redirects - - When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).

    • 2

  2. I would try to do it more simple.

    With mod_alias loaded (no need for mod_rewrite in your example, I tend to not use mod_rewrite unless it is really necessary) and also use directory not location for real directory paths, also no need to quote paths.

    I believe a much simpler example would do what you want:

    <VirtualHost *:80>
    DocumentRoot /var/www/html
    ServerName www.example.com

    RedirectMatch ^/(?!\.well-known)(.*) https://yourdomain.example.com/$1
    <Directory /var/www/html/.well-known>
        Require all granted
    </Directory>
</VirtualHost>
    • 1