Apache: How to "hide" a subdomain but serve over https

Question

I will freely admit my ignorance - or perhaps enough knowledge to be dangerous.

I have a subdomain http://db.<mydomain>.com that serves the phpMyAdmin utility. It's currently in a directory with an Apache directive to require a valid-user from .htaccess which made sense at the time, because I don't want to expose the phpMyAdmin login page to the general public.

The problem this created was trying to use cert-bot to create SSL certs for my site, it can't validate the ACME challenge because the challenge can't get past the .htaccess restriction.

How can I simultaneously serve this subdomain over https while also requiring an additional layer of security before a user can see the phpMyAdmin login page?

   <VirtualHost *:80>
        ServerName db.<mydomain>.com
        ServerAlias www.db.<mydomain>.com
        DocumentRoot /var/www/subdomains/db/phpMyAdmin
    </VirtualHost>
    <Directory "/var/www/subdomains/db">
        Options Indexes FollowSymLinks ExecCGI
        Order allow,deny
        Allow from all
        AuthType Basic
        AuthUserFile "/var/www/.htpasswd-users"
        require valid-user
    </Directory>

score 2 · Answer 1 · answered Dec 01 '22 at 18:38

2

There's at least three ways to solve this:

Use the DNS challenge, requiring no HTTP connection
Disable basic auth for .well-known/-path which is used by certbot.
Use the standalone module of certbot. This will lead to 10-20 seconds of downtime

answered Dec 01 '22 at 18:38

vidarlo

6,654
2
18
31

Romeo Ninov · Answer 2 · 2022-12-01T18:51:17.473

0

One possible way is to add access restrictions for the virtual host like this:

<Directory "/www/docs/db">
    <RequireAll>
        Require ip <localip> <certbot host-name>
    </RequireAll>
</Directory>

For more information about Require directive you can visit Apache doc.

edited Dec 01 '22 at 18:51

answered Dec 01 '22 at 17:22

Romeo Ninov

5,263
4
20
26

1

LE doesn't publish the IP's they come from, and they publicly state the addresses are subject to change without notice. This is mentioned in [their FAQ](https://letsencrypt.org/docs/faq/) under *What IP addresses does Let’s Encrypt use to validate my web server?* – vidarlo Dec 01 '22 at 18:41
@vidarlo, hostname is also acceptable in this case. – Romeo Ninov Dec 01 '22 at 18:51
They don't use reverse DNS either. There's simply no reliable way to whitelist them based on address. In addition, there's no reason to do it this way. – vidarlo Dec 01 '22 at 18:53

score 0 · Accepted Answer · answered Dec 01 '22 at 21:07

<Directory "/var/www/subdomains/db">
    Options Indexes FollowSymLinks ExecCGI
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthUserFile "/var/www/.htpasswd-users"
    require valid-user
</Directory>

You should remove the Order and Allow directives. These are the old-style Apache 2.2 directives and are formerly deprecated on Apache 2.4 and are likely to cause conflicts (but they aren't required anyway).

Although curious why you have a <Directory> section for /var/www/subdomains/db, yet the DocumentRoot is defined as /var/www/subdomains/db/phpMyAdmin?

Then add an additional <Directory> section for the /.well-known/ file-path in which you allow unrestricted access - so the certbot can "validate the ACME challenge". For example:

<Directory "/var/www/subdomains/db/phpMyAdmin/.well-known">
    Require all granted
</Directory>

Apache: How to "hide" a subdomain but serve over https

3 Answers3