reject_bots: allow .well-known unconditionally

Allowing */.well-known/* allows Let's Encrypt (and likely
similar) services to access static files for ACME validation
during the automated TLS certificate renewal process.

diff --git a/contrib/RejectBots.pm b/contrib/RejectBots.pm
index fdfd41a53aea34e1a7e0434a2a5eb3e1c692d70c..3bd01c8400eb53886456a97d5485452096ca5d72 100644 (file)
--- a/contrib/RejectBots.pm
+++ b/contrib/RejectBots.pm
@@ -23,7 +23,7 @@ sub call {
        my $ua = $env->{HTTP_USER_AGENT} // '';
        return [ 403, [], [] ] if $ua =~ /$bad_ua/o;
        my $uri;
-       if ($env->{PATH_INFO} !~ /\.css\z/ &&
+       if ($env->{PATH_INFO} !~ m!(?:/\.well-known/|\.css\z)! &&
                        $ua =~ m!\A(?:Mozilla|Opera)/! &&
                        defined($uri = $env->{REQUEST_URI}) &&
                        ($env->{HTTP_REFERER} // '') !~ /\Q$uri\E\z/ &&