pfSense lighttpd access control

In a previous post I configured lighttpd to serve proxy.pac files on my pfSense box. Turns out by doing this, I broke the package because I was blocking external access to port 80 (because noone needs my PAC file… or something else I break.)

Add the following line anywhere in /usr/local/etc/lighttpd/lighttpd.conf:

include "/usr/local/etc/lighttpd/block-notacme.conf"

Edit the file: sudo vi /usr/local/etc/lighttpd/block-notacme.conf

And add the following contents:

$HTTP["url"] !~ "^/\.well-known/acme-challenge/.*" {
        $HTTP["remoteip"] !~ "10\..*" {
                url.access-deny = ("")

Once done, restart the lighttpd service (sudo service lighttpd restart)

I’m sure this is a terrible way of doing it - but it’s up to you to make a better one if you can find it :)

In short, it matches on every request, and if the url’s not the ACME-renewal one, it checks the source IP. If the source IP doesn’t match then it’ll deny access.

To make sure you’ve fixed it, use online curl to test your site - it’s a pretty reliable way of doing a remote curl request against things :)

#pfsense #lighttpd #security