Apache: How to "hide" a subdomain but serve over https

Question

I will freely admit my ignorance - or perhaps enough knowledge to be dangerous.

I have a subdomain http://db.<mydomain>.com that serves the phpMyAdmin utility. It's currently in a directory with an Apache directive to require a valid-user from .htaccess which made sense at the time, because I don't want to expose the phpMyAdmin login page to the general public.

The problem this created was trying to use cert-bot to create SSL certs for my site, it can't validate the ACME challenge because the challenge can't get past the .htaccess restriction.

How can I simultaneously serve this subdomain over https while also requiring an additional layer of security before a user can see the phpMyAdmin login page?

   <VirtualHost *:80>
        ServerName db.<mydomain>.com
        ServerAlias www.db.<mydomain>.com
        DocumentRoot /var/www/subdomains/db/phpMyAdmin
    </VirtualHost>
    <Directory "/var/www/subdomains/db">
        Options Indexes FollowSymLinks ExecCGI
        Order allow,deny
        Allow from all
        AuthType Basic
        AuthUserFile "/var/www/.htpasswd-users"
        require valid-user
    </Directory>

score 2 · Answer 1 · answered Dec 01 '22 at 18:38

2

There's at least three ways to solve this:

Use the DNS challenge, requiring no HTTP connection
Disable basic auth for .well-known/-path which is used by certbot.
Use the standalone module of certbot. This will lead to 10-20 seconds of downtime

answered Dec 01 '22 at 18:38

vidarlo

9,165

Romeo Ninov · Answer 2 · 2022-12-01T18:51:17.473

0

One possible way is to add access restrictions for the virtual host like this:

<Directory "/www/docs/db">
    <RequireAll>
        Require ip <localip> <certbot host-name>
    </RequireAll>
</Directory>

For more information about Require directive you can visit Apache doc.

edited Dec 01 '22 at 18:51

answered Dec 01 '22 at 17:22

Romeo Ninov

5,932
4
20
26

1

LE doesn't publish the IP's they come from, and they publicly state the addresses are subject to change without notice. This is mentioned in their FAQ under What IP addresses does Let’s Encrypt use to validate my web server? – vidarlo Dec 01 '22 at 18:41
@vidarlo, hostname is also acceptable in this case. – Romeo Ninov Dec 01 '22 at 18:51
They don't use reverse DNS either. There's simply no reliable way to whitelist them based on address. In addition, there's no reason to do it this way. – vidarlo Dec 01 '22 at 18:53

score 0 · Accepted Answer · answered Dec 01 '22 at 21:07

<Directory "/var/www/subdomains/db">
    Options Indexes FollowSymLinks ExecCGI
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthUserFile "/var/www/.htpasswd-users"
    require valid-user
</Directory>

You should remove the Order and Allow directives. These are the old-style Apache 2.2 directives and are formerly deprecated on Apache 2.4 and are likely to cause conflicts (but they aren't required anyway).

Although curious why you have a <Directory> section for /var/www/subdomains/db, yet the DocumentRoot is defined as /var/www/subdomains/db/phpMyAdmin?

Then add an additional <Directory> section for the /.well-known/ file-path in which you allow unrestricted access - so the certbot can "validate the ACME challenge". For example:

<Directory "/var/www/subdomains/db/phpMyAdmin/.well-known">
    Require all granted
</Directory>

Apache: How to "hide" a subdomain but serve over https

3 Answers3