Make a Site Private but Allow Lets Encrypt

Mon, May 22, 2017
One-minute read

This post is quite old, and may not be up-to-date or maintained. Please take the information here with a grain of salt.

This is a pretty straightforward thing I’ve wanted to do for some time. Basically, I have a number of sites that I use internally that I wanted to get certificates via Let’s Encrypt, but I also wanted to keep them restricted to only a few IP addresses. The solution is quite simple and works perfectly.

We accomplish this with two .htaccess files. One at the site root to restrict IP address that can access the site, the second to disable that restriction on the directory where the Let’s Encrypt challenge is stored.

The first file lives at the document root and look like this:

Order Deny,Allow
Deny from all

# Replace this IP with the IP you want to allow access for.  Add multiple lines for different addresses.
Allow from 111.22.33.44

The second file lives in .well-known, which is where Virtualmin will store the challenge files that Let’s Encrypt uses to verify ownership.

Order Deny,Allow
Allow from all

Since the only thing that lives in the .well-known directory is challenge files, your main site is still protected!

dev-ops how-to linux