ReverseProxy to exclude ^/.well-known ?

23 November 2018, 22:46
I've got a vhost currently configured as:

VirtualHost {
Hostname =,
Alias = /.well-known:/var/www/well-known
EnforceFirstHostname = yes
WebsiteRoot = /var/www/null
ReverseProxy .* http://localhost:3000/

The Alias entry works for other subdomains I've configured,

(interestingly, vhosts do NOT inherit Alias entry from the default/top-level config — I have to insert it manually into every vhost. Which I guess makes sense for purposes other than ACME auth, but is still a bit annoying; is there any "HeritableAlias" or something like that? But this is tangential so feel free to ignore this whole parenthetical.)

however in this case the Reverse Proxy matching is a higher priority than the Alias matching (which makes sense on a number of levels, given that the Regexes are the more flexible it excludes no use-cases this way); however I can't seem to get it to agree with my regex for "every string which does not start with forward-slash-dot-well-space-known":

ReverseProxy (?!^/\.well-known).* http://localhost:3000/

yields "Syntax error in vhosts.conf.d/git.conf on line 6." (I have tried placing the caret both inside or outside the parenthesis, to no avail.)

according to most sources, this is the way to go about this; however, given that Hiawatha includes some convenience modifications to Regex already, am I just missing something?
23 November 2018, 22:47
> forward-slash-dot-well-space-known

meant this to be "forward-slash-dot-well-hyphen-known" but I guess that's clear
Hugo Leisink
23 November 2018, 22:55
The /.well-known directory is ignored by Hiawatha's reverse proxy, as it is used to obtain a Let's Encrypt certificate.
23 November 2018, 22:55
Other, failed attempts:

23 November 2018, 22:58
> The /.well-known directory is ignored by Hiawatha's reverse proxy

I believe this is false!

External image via
23 November 2018, 23:26
To clarify the above screenshot:

  • Gitea is running ON the localhost port 3000; it is a self-contained webapp monolith written in Go, for which Hiawatha is merely an ALG to provide SSL and other stuff like shared port.
  • /var/www/well-known/index.html has been filled with an empty file, which IS loaded by other vhosts for the same path.
  • Just now, I tried replacing "git.www" in the above screenshot with a different subdomain for a "truly-Hiawatha-served"/non-proxied vhost, and the blank page WAS displayed. (server is still running the git.conf from the OP; I've just been testing these changes with hiawatha -k)
  • Therefore I think the only reasonable assumption is that the ReverseProxy IS INDEED grabbing / not-ignoring the ^/\.well-known stuff
24 November 2018, 17:21
I mean, this isn't a blocker, since I can always just either DNS-verify or else schedule downtime; but I really do want to emphasise the fact that the above screenshot is extremely strong evidence that the following statement is false:

The /.well-known directory is ignored by Hiawatha's reverse proxy

and I still haven't got the Regex to actually ignore it working yet
Hugo Leisink
24 November 2018, 20:50
Oh, you're right. It's /.well-known/acme-challenge/ that Hiawatha ignores. Anyway, files that start with a dot are 'hidden' files in Unix, so Hiawatha ignores them. Try AllowDotFiles = yes.
25 November 2018, 21:45
It's /.well-known/acme-challenge/ that Hiawatha ignores.

Ah, it looks like that, however, is true!

∴ I didn't even need to change the regex from match-all in the first place.

P.S., this isn't documented; I'll send a pull request in a few.

P.P.S., THOUGH, setting aside the A-B problem at play: I'm now/still curious as to the original question as stated:

What WAS wrong with my regex; what IS in fact the appropriate expression for Hiawatha to ReverseProxy all paths NOT starting with a given pattern?
Hugo Leisink
29 November 2018, 20:24
Try this
ReverseProxy !^/somepath/ http://localhost:3000/
This topic has been closed.