[GH-ISSUE #47] Restrict registration #14

New issue

Closed

opened 2026-03-13 15:21:40 +03:00 by kerem · 3 comments

kerem commented

2026-03-13 15:21:40 +03:00

Owner

Originally created by @MrBMT on GitHub (Mar 1, 2018).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/47

Given that this DNS server is going to be used to authorise requests for SSL infrastructure, it would be nice to be able to restrict registration requests being sent to the server.

~~The ability to set a password in the configuration, then have this checked when registration requests are made to the server then deny them if incorrect/not provided would be pretty great.~~

If it would be possible to add an option to disable registration, it'd be appreciated.

Thanks in advance for your consideration.

Originally created by @MrBMT on GitHub (Mar 1, 2018). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/47 Given that this DNS server is going to be used to authorise requests for SSL infrastructure, it would be nice to be able to restrict registration requests being sent to the server. ~~The ability to set a password in the configuration, then have this checked when registration requests are made to the server then deny them if incorrect/not provided would be pretty great.~~ If it would be possible to add an option to disable registration, it'd be appreciated. Thanks in advance for your consideration.

kerem

2026-03-13 15:21:40 +03:00

closed this issue
added the
feature request
label

kerem commented

2026-03-13 15:21:56 +03:00

Author

Owner

@Yannik commented on GitHub (Mar 2, 2018):

From a security standpoint, you'll probably run acme-dns in docker + a reverse proxy anyway.
You can just add basic auth to your reverse proxy. I don't think bloating acme-dns with things like this makes alot of sense.

This is an example for apache2.4:

    ProxyPass / http://localhost:4000/ Keepalive=On
    ProxyPassReverse / http://localhost:4000/
   <Proxy *>
           Order deny,allow
           Allow from all
           Authtype Basic
           Authname "Password Required"
           AuthUserFile /var/lib/acme-dns/htpasswd
           Require valid-user
   </Proxy>

Apart from that, no one in their right mind would delegate their challenges to an untrusted server anyway, so this is not a very big issue IMO. (But of course, using basic auth does make sense because it prevents abuse).

@Yannik commented on GitHub (Mar 2, 2018): From a security standpoint, you'll probably run acme-dns in docker + a reverse proxy anyway. You can just add basic auth to your reverse proxy. I don't think bloating acme-dns with things like this makes alot of sense. This is an example for apache2.4: ``` ProxyPass / http://localhost:4000/ Keepalive=On ProxyPassReverse / http://localhost:4000/ <Proxy *> Order deny,allow Allow from all Authtype Basic Authname "Password Required" AuthUserFile /var/lib/acme-dns/htpasswd Require valid-user </Proxy> ``` Apart from that, no one in their right mind would delegate their challenges to an untrusted server anyway, so this is not a very big issue IMO. (But of course, using basic auth does make sense because it prevents abuse).

kerem commented

2026-03-13 15:22:01 +03:00

Author

Owner

@joohoi commented on GitHub (Mar 2, 2018):

I do agree that adding another layer of authentication might be a bit overkill. I feel that the common usecase would be not exposing the HTTP API to the public internet at all, but only allowing access from the internal network.

A feature I'm thinking of adding is a new setting in configuration that can be used to toggle the registration endpoint off completely. So when your infrastructure is set up and configured for the automation, the complete registration could be disabled semi-temporarily.

@joohoi commented on GitHub (Mar 2, 2018): I do agree that adding another layer of authentication might be a bit overkill. I feel that the common usecase would be not exposing the HTTP API to the public internet at all, but only allowing access from the internal network. A feature I'm thinking of adding is a new setting in configuration that can be used to toggle the registration endpoint off completely. So when your infrastructure is set up and configured for the automation, the complete registration could be disabled semi-temporarily.

kerem commented

2026-03-13 15:22:06 +03:00

Author

Owner

@MrBMT commented on GitHub (Mar 2, 2018):

See, sometimes I overthink things. Just having the option to disable registration would work perfectly too, and is honestly the better idea than having to introduce a new type of authentication.

@MrBMT commented on GitHub (Mar 2, 2018): See, sometimes I overthink things. Just having the option to disable registration would work perfectly too, and is honestly the better idea than having to introduce a new type of authentication.