Welcome to WebmasterWorld Guest from 188.8.131.52
184.108.40.206xx [29/Apr/2018:22:17:47 GET /.well-known/acme-challenge/_eaHuq8wjizuOgFLlkrN2gdFrCZsIRGyFZoaZbCt-N8 HTTP/1.1500 - - Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)
66.198.xxx.xxx [29/Apr/2018:22:17:36 GET /.well-known/acme-challenge/1K1OVFXXN803XYUDX10QDF907RYAII0C HTTP/1.1 200 64 - Cpanel-HTTP-Client/1.0
I don't ban either IP range, nor am I consciously aware of banning the Let's Encrypt UA, or even parts of it.Irrelevant, fortunately. Or perhaps unfortunately, depending on what's ultimately going on. A ban would show up as a 403 (possibly some other 400-class error in some highly specialized circumstances); a 500 is a mistake. The question is whether it's your mistake or your host's. Does /.well-known/ live in the same place as the rest of your site, or is it aliased to some other location?
RewriteRule ^.well-known/(.*)$ - [L]Or, if you prefer,
where the first change is a non-lethal error and the second is a matter for a different thread.
RewriteRule ^\.well-known/ - [L]
RewriteRule ^.well-known/(.*)$ - [L]
What does this code do?I do this with all the sites I work on as a proactive measure so I don't have to come back and figure out any issues. It allows Let's Encrypt access so it can install the cert's private key.
What does this code do? I'm not sure what are symbolic links?Yes, more or less. The "-" here isn't really a replacement; it's a placeholder meaning “don’t change the original request” (because mod_rewrite syntax requires that you put something in the “target” position).
The rewriterule takes /.well-known/something, replaces it with "-" (pass it through unchanged?), stops processing rules and evalulate? Is that right?
Following system linksTypo for “symbolic links”, right? This directive is required in order for mod_rewrite to work as intended in htaccess. But it is inherited--i.e. it is not, in itself, a mod_rewrite directive, confusing!--so any sane host will already have the directive in the appropriate part of their config file if they allow htaccess at all.
after my other RewriteRules and before my RewriteCond, SetEnvIf and IP bansIt has to be before all other RewriteRules, or it will have no effect. That was the whole point of the rule. An [L] flag affects only mod_rewrite; it has no effect on other mods.
220.127.116.11 [05/May/2018:08:16:47 GET /.well-known/acme-challenge/j7SDCPKfpvBP3bGGYf8ylVjiyCrZ4ztfzHniQPeBu1c HTTP/1.1 200 87 - Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)
18.104.22.168 [05/May/2018:08:16:47 GET /.well-known/acme-challenge/yKXs4pA_WUQycoCgzReohppBTtn-OKfubGtdU__m-CI HTTP/1.1 200 87 - Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)
I see the possible hole in my htaccessThere's no possible hole caused by what I suggested. It does not *allow* anything that wasn't already allowed. It simply makes the directory easier to find by Let's Encrypt (as I said.)
@keyplyr so the RewriteRule ^.well-known/(.*)$ - [L] is not a security risk?No, as I said, it does not alter anything you already have in your htaccess.
My host provider has only allowed Let's Encrypt in and should screen out others that could use the same GET request?I think you may be misunderstanding this code. It does not "allow" anything. It just helps Let's Encrypt find the directory. The directory is hidden and is not linked from your pages. The directory is already allowed, unless you are blocking IPs & UAs from access to your site as a whole.
There's no possible hole caused by what I suggested. It does not *allow* anything that wasn't already allowed. It simply makes the directory easier to find by Let's Encrypt (as I said.)
it does not alter anything you already have in your htaccess.
Other agents need access to this directory also (read above.)