In a previous post I configured lighttpd to serve proxy.pac files on my pfSense box. Turns out by doing this, I broke the acme.sh package because I was blocking external access to port 80 (because noone needs my PAC file… or something else I break.)
Add the following line anywhere in /usr/local/etc/lighttpd/lighttpd.conf:
include "/usr/local/etc/lighttpd/block-notacme.conf"
Edit the file: sudo vi /usr/local/etc/lighttpd/block-notacme.conf
And add the following contents:
$HTTP["url"] !~ "^/\.well-known/acme-challenge/.*" {
$HTTP["remoteip"] !~ "10\..*" {
url.access-deny = ("")
}
Once done, restart the lighttpd service (sudo service lighttpd restart)
I’m sure this is a terrible way of doing it - but it’s up to you to make a better one if you can find it :)
In short, it matches on every request, and if the url’s not the ACME-renewal one, it checks the source IP. If the source IP doesn’t match 10.0.0.0/8 then it’ll deny access.
To make sure you’ve fixed it, use online curl to test your site - it’s a pretty reliable way of doing a remote curl request against things :)