Global Apache Alias, ignoring virtual hosts

Question

I have a global entry

Alias /.well-known/acme-challenge /var/www/letsencrypt/.well-known/acme-challenge/

in my apache configuration, outside any virtual host. This way, the above Alias is effective for all virtual hosts. Unfortunately, there are still virtual hosts where this does not work as intended, e.g. due to redirects, authetication requirements etc.

Is there a way to tell apache to consider this alias before even reading the configuration of the particular virtual host?

Why don't you just set an exception to your redirect & authentication for this file — Froggiz, Dec 19 '15 at 20:17
Because I don’t want to touch the configuration of several dozens virtual hosts, adding an exception to each of them. — Joachim Breitner, Dec 19 '15 at 21:11

Froggiz · Accepted Answer · 2015-12-21T12:52:57.040

6

You can try to add this before all your virtual host :

Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/

#Bypass Auth
<Directory /var/www/letsencrypt/.well-known/acme-challenge/>
Satisfy any
</Directory>

#Redirect before other rewrite rules
RewriteCond %{REQUEST_URI} /\.well\-known/acme\-challenge/
RewriteRule (.*) /.well-known/acme-challenge/$1 [L,QSA]

edited Dec 21 '15 at 12:52

answered Dec 20 '15 at 00:11

Froggiz

3,013
1
18
30

Well, almost. It seems that `ScriptAliasMatch /(.*) /opt/.../cgi.pl/$1` in a Virtual Host configuration still takes precedence. – Joachim Breitner Dec 20 '15 at 22:16
I updated the answer, i hope it ll work. By the way i think /(.*) should be ^/(.*) to be more revealant – Froggiz Dec 21 '15 at 12:44
Thanks. Unfortunately, it does not; it seems that the `ScriptAliasMatch` in the `VirtualHost` section still has precedence. I also tried some variations, i.e. with or without `^`, `AliasMatch` instad of `ScriptAliasMatch`. – Joachim Breitner Dec 21 '15 at 12:51
What about `ScriptAlias / /opt/.../cgi.pl/` instead of your scriptaliasmatch, it should do the same. Then if needed you can add `ScriptAlias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/`. It is not as i would like but it should work in your case – Froggiz Dec 21 '15 at 13:07
I’ll give it a shot, but it’s definitely a divergence of my “I don’t want to touch the virtual hosts” goal. – Joachim Breitner Dec 21 '15 at 13:41
1

The Virtual Host settings still take precedence. I’ll just byte the bullet and add `Alias /.well-known/acme-challenge/ ...` to the few virtual hosts that are affected by this. – Joachim Breitner Dec 21 '15 at 13:45
Make sure you add `ProxyPass /.well-known/acme-challenge/ !` to ignore future ProxyPass rules – Eun Nov 16 '16 at 19:50
"Note that rewrite configurations are not inherited by virtual hosts. This means that you need to have a RewriteEngine on directive for each virtual host in which you wish to use rewrite rules." https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html – Frederick Nord Feb 02 '17 at 21:26

score 2 · Answer 2 · answered Jan 17 '18 at 11:14

I came across your question with the same letsencrypt acme apache alias problem. After reading through the apache documentation, I still don't undestand why the global alias doesn't work as expected (according to the documentation it should).

Anyway, here is a workaround that uses RedirectMatch (which according to the documentation is evaluated before alias). It requires one additional host and one global configuration file:

Create an additional (sub)domain / host that only serves acme requests, lets say "acme.mydomain.tld"

Create (and enable) a global configuration that redirects all acme-requests to that host, excluding the host itself from redirection:

<If "%{HTTP_HOST} != 'acme.mydomain.tld'">
    RedirectMatch "^/.well-known/(.*)$" "http://acme.mydomain.tld/.well-known/$1" 
</If>

This works for all my VirtualHosts which had problems with the old alias approach.

I was honestly hoping for something like the accepted answer to work, but this was the only thing that deals with all my oddball virtualhosts — Brian Albert Monroe, Sep 04 '18 at 19:16

Diamond · Answer 3 · 2015-12-20T00:16:25.783

1

According to Apache 2.4 documentation you have these options:

There are two basic types of containers. Most containers are evaluated for each request. The enclosed directives are applied only for those requests that match the containers. The <IfDefine>, <IfModule>, and <IfVersion> containers, on the other hand, are evaluated only at server startup and restart. If their conditions are true at startup, then the enclosed directives will apply to all requests. If the conditions are not true, the enclosed directives will be ignored.

May be you can give it a try use one of the containers mentioned above and add the alias that you need to be globally for all requests. See details here: https://httpd.apache.org/docs/2.4/sections.html#mergin.

edited Dec 20 '15 at 00:16

answered Dec 20 '15 at 00:08

Diamond

8,791
3
22
37

I doubt that `IfDefine` etc will help. They just toggle the contained configuration, so they either have no effect at all (not helpful), or the same as if they were not wrapped in `IfDefine`. – Joachim Breitner Dec 20 '15 at 20:48
Congrats on 3k - have fun closing stuff. – user9517 Dec 23 '15 at 18:55
Doubt and thinking are of no use here. I actually tried enclosing it in a Block. It doesn't work. – ChristophK Jan 17 '18 at 10:08

score -1 · Answer 4 · answered May 09 '21 at 18:57

-1

I handled the issue with a global alias

Create a global config

Alias /.well-known/acme-challenge/ /my-acme-challenge-directory

answered May 09 '21 at 18:57

Martin Kouba

1

Global Apache Alias, ignoring virtual hosts

4 Answers4