The defused trap 

 

<VirtualHost 88.79.251.65:443>
    ServerName www.florianheigl.me
    ServerAlias florianheigl.me
    ServerAlias *.florianheigl.me
    ServerAlias www.florianheigl.de florianheigl.de
    ServerAlias xmas.florianheigl.de xmas.florianheigl.me
 
    Use macro-baseconf floh florianheigl.me
    Use macro-sslconf www.florianheigl.me

    # Start of custom directives
    RewriteEngine On
    RewriteRule ^/touch /index.php [R=301,L]
    RewriteCond %{HTTP_HOST} xmas.florianheigl\.(de|me)$ [NC]
    RewriteCond %{REQUEST_URI} !/.well-known.* [NC]
    RewriteRule ^(.*)$ http://confluence.wartungsfenster.de/pages/viewpage.action?pageId=24838232 [L,R=301]
    # End of custom directives


</VirtualHost>

 

The critical line is this: 

    RewriteCond %{REQUEST_URI} !/.well-known.* [NC]

Without that my ssl forwards would always redirect lets encrypt's probing to my wiki which happily dropped a 403 for this request.

 

 

The underlying config

The flow through the config is like this:

http vhost only forwarding to https

 

<VirtualHost 88.79.251.65:80>
    ServerName www.florianheigl.me
    ServerAlias florianheigl.me
    ServerAlias *.florianheigl.me
    ServerAlias www.florianheigl.de florianheigl.de
    ServerAlias xmas.florianheigl.de xmas.florianheigl.me
    Include /etc/apache2/includes/include-redirect-ssl.conf
</VirtualHost>

 

redirect

/etc/apache2/includes/include-redirect-ssl.conf
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

 

the https config you already know

<VirtualHost 88.79.251.65:443>
    ServerName www.florianheigl.me
    ServerAlias florianheigl.me
    ServerAlias *.florianheigl.me
    ServerAlias www.florianheigl.de florianheigl.de
    ServerAlias xmas.florianheigl.de xmas.florianheigl.me

    Use macro-baseconf floh florianheigl.me
    Use macro-sslconf www.florianheigl.me

    # Start of custom directives
    RewriteEngine On
    RewriteRule ^/touch /index.php [R=301,L]
    RewriteCond %{HTTP_HOST} xmas.florianheigl\.(de|me)$ [NC]
    RewriteCond %{REQUEST_URI} !/.well-known.* [NC]
    RewriteRule ^(.*)$ http://confluence.wartungsfenster.de/pages/viewpage.action?pageId=24838232 [L,R=301]
    # End of custom directives

</VirtualHost>

 

the macro for defining docroot and the place for lets encrypt certs

<Macro macro-baseconf $owner $domain>
    Alias /stats /var/www/sites/$owner/$domain/subdomains/www/logs
    Alias /awstats-icon /usr/share/awstats/icon
    DocumentRoot /var/www/sites/$owner/$domain/subdomains/www/html
    <Directory /var/www/sites/$owner/$domain/subdomains/www/html>
        Allow from all
    </Directory>
    AliasMatch ^/.well-known/autoconfig/mail/config-v1.1.xml$ /var/lib/dtc/etc/config-v1.1.xml
    AddDefaultCharset ISO-8859-15
    ErrorLog /var/www/sites/$owner/$domain/subdomains/www/logs/error.log
    DirectoryIndex index.php index.cgi index.pl index.htm index.html index.php4
    # letsencrypt base
    Include /etc/apache2/includes/include-http-alias.conf
</Macro>
 
<Macro macro-sslconf $domain>
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt.sh/certs/$domain/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt.sh/certs/$domain/privkey.pem
</Macro>

 

the lets encrypt include for all vhosts

    Alias /.well-known/acme-challenge /etc/letsencrypt.sh/.well-known/acme-challenge/
    <Directory "/etc/letsencrypt.sh/.well-known/acme-challenge">
      Options None
      AllowOverride None
      #Require all granted
      #Header add Content-Type text/plain
      ForceType 'text/plain'
    </Directory>
  • No labels