I have a Nginx server, and disabled hidden files in the nginx_vhost.conf
## Disable .htaccess and other hidden files location ~ /\. { deny all; access_log off; log_not_found off; } But LetsEncrypt needs access to the .well-known directory.
How do I allow the .well-known directory and deny the other hidden files?
The other solutions did not helped me.
My solution is to include a negative regex for .well-known. Your code block should look like this then:
## Disable .htaccess and other hidden files location ~ /\.(?!well-known).* { deny all; access_log off; log_not_found off; } It will block every dot file except the ones starting with .well-known
P.S.: I would also add return 404; to the block.
location ~* /\.(?!well-known\/) { as seen at github.com/h5bp/server-configs-nginx/blob/master/h5bp/location/… identical to this location ~ /\.(?!well-known).* { ? /\.(?!well-known\/) is not as expressive as my regex (because I block all dot files except well-known by definition). Maybe the best would be a combination like location ~ /\.(?!well-known\/).* which unblocks only the well-known directory instead also a theoretical .well-known-blabla. But I think there is no real danger in not blocking a theoretic .well-known-blabla file. Nginx applies locations with regular expressions in the order of their appearance in the configuration file.
Therefore, adding an entry like this just before your current location it will help you.
location ~ /\.well-known { allow all; } 
location ~ /\.well-known {. Either way, this should be the accepted answer. I've provided a full step by step tutorial on how to use Let's Encrypt with NGINX on my website.
The key parts are:
You don't need listeners in your https block at all, it's all done on https. This is only to prove you control the domain, it's not serving anything private or secret.
# Answer let's encrypt requests, but forward everything else to https server { listen 80; server_name example.com www.example.com access_log /var/log/nginx/access.log main; # Let's Encrypt certificates with Acmetool location /.well-known/acme-challenge/ { alias /var/www/.well-known/acme-challenge/; } location / { return 301 https://www.example.com$request_uri; } } Full step by step guide linked above.
Add this (before or after):
location ^~ /.well-known/ { log_not_found off; } You can add this also at bottom, because the matching ^~ modifier takes precedence over regular expressions. See the the docs.
If you have lots of config files and they already contain a deny on .htaccess like
location ~ /\.ht { deny all; } then instead of ignoring all dot files, you can simply add a second ignore for .git with
sed -i '/location ~ \/\\.ht { deny all; }/a \ location ~ \/\\.git { deny all; }' /etc/nginx/* Actually this worked for me:
location ~ ^/?\.well-known/acme-challenge/ { try_files $uri =404; } location ~ /\. { deny all; } And the order is very important, so "location ~ /\." block has to be last, or the other way around the "location ~ ^/?\.well-known/acme-challenge/" has to be first !
That option from Nginx doc location page, by adding "^" before "~" (e.g.: "location ^~ ^/?\.well-known/acme-challenge/") didn't worked for me, no matter the order :(
And if you wish you can also add those options from the author question:
access_log off; log_not_found off; 
.htaccessfiles. It has configuraiton files but they aren't called.htaccess, nor do they work the same.