From 6f4142685f37e33a0488b030069dd0602ab2cba1 Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Tue, 2 Sep 2025 20:30:13 +0000
Subject: [PATCH] reject_bots: allow .well-known unconditionally

Allowing */.well-known/* allows Let's Encrypt (and likely
similar) services to access static files for ACME validation
during the automated TLS certificate renewal process.
---
 contrib/RejectBots.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/RejectBots.pm b/contrib/RejectBots.pm
index fdfd41a53..3bd01c840 100644
--- a/contrib/RejectBots.pm
+++ b/contrib/RejectBots.pm
@@ -23,7 +23,7 @@ sub call {
 	my $ua = $env->{HTTP_USER_AGENT} // '';
 	return [ 403, [], [] ] if $ua =~ /$bad_ua/o;
 	my $uri;
-	if ($env->{PATH_INFO} !~ /\.css\z/ &&
+	if ($env->{PATH_INFO} !~ m!(?:/\.well-known/|\.css\z)! &&
 			$ua =~ m!\A(?:Mozilla|Opera)/! &&
 			defined($uri = $env->{REQUEST_URI}) &&
 			($env->{HTTP_REFERER} // '') !~ /\Q$uri\E\z/ &&
-- 
2.47.3