The /.well-known directory access forbidden by rule
Sometimes you may see in your error log file and noticed some requests to ./well-known diectory:
[error] 11830#11830: *1947 access forbidden by rule, client: x.x.x.x, server: wwww.example.com, request: "GET /.well-known/apple-app-site-association HTTP/1.1", host: "example.com"
[error] 11830#11830: *1954 access forbidden by rule, client: x.x.x., server: wwww.example.com, request: "GET /.well-known/assetlinks.json HTTP/1.1", host: "example.com"
So, what is this ?
/.well-known directory what is this ?
The .well-known subdirectory is defined by RFC 5785
Here are some infomation you should considered:
“It is increasingly common for Web-based protocols to require the discovery of policy or other information about a host (“site-wide metadata”) before making a request. For example, the Robots Exclusion Protocol http://www.robotstxt.org/ specifies a way for automated processes to obtain permission to access resources; likewise, the Platform for Privacy Preferences [W3C.REC-P3P-20020416] tells user-agents how to discover privacy policy beforehand.”
“To address this, this memo defines a path prefix in HTTP(S) URIs forthese “well-known locations”, “/.well-known/”. Future specifications that need to define a resource for such site-wide metadata can register their use to avoid collisions and minimise impingement upon sites’ URI space well-known URI’s”
The /.well-known/assetlinks.json file
The assetlinks.json file is part of the Digital asset link protocol which allows website owners to link URLs with native apps and share credentials with other websites:
The Digital Asset Links protocol and API enable an app or website to make public, verifiable statements about other apps or websites. For example, a website can declare that it is associated with a specific Android app, or it can declare that it wants to share user credentials with another website.
For more information you can visit https://developers.google.com/digital-asset-links/v1/getting-started
The ./well-known/apple-app-site-association file
The apple-app-site-association file is used for Apple’s Universal Links
“When you support universal links, iOS users can tap a link to your website and get seamlessly redirected to your installed app without going through Safari. If your app isn’t installed, tapping a link to your website opens your website in Safari.”
For more information about you can visit https://developer.apple.com/library/content/documentation/General/Conceptual/AppSearch/UniversalLinks.html
Both of assetlinks.json and apple-app-site-association file which support a similar purpose, they allow the site operator to instruct a visitor to open the site in an associated app, rather than in the (mobile) browser.
Why some server prevent access ./well-known directory
There are a couple of webservers configurations that prevent opening directories that start with dot “.”. The reasoning behind it is that it might give away sensitive information, like a** .git** or ** .svn** directory (which probably shouldn’t even be on your webserver in the first place)
Here are some solutions:
If you have that directory, you can config in configuration file(nginx) like below:
location ~ /.well-known {
allow all;
}
If your website is not support ./well-known :
location ~ /\.(?!well-known).* {
deny all;
access_log off;
log_not_found off;
}
References
https://tools.ietf.org/html/rfc5785
nginx-disable-htaccess-and-hidden-files-but-allow-well-known-directory
well-known-directory-webservers-aka-rfc-5785