create letsencrypt exception for apache reverse proxy along with ip restrictions

Under normal circumstances, setting up an apache reverse proxy with a letsencrypt exception for /.well-known is easily done with ProxyPass /.well-known ! It seems to become much more difficult (something which I happen to have easily solved in nginx) to configure this exception along with ip restrictions for the backend:

<VirtualHost *:80>   ServerName   DocumentRoot /var/www/html   Redirect / </VirtualHost>  <VirtualHost *:443>   ServerName    SSLEngine on   SSLCertificateFile /etc/letsencrypt/live/   SSLCertificateKeyFile /etc/letsencrypt/live/   DocumentRoot /var/www/html    ErrorLog $  {APACHE_LOG_DIR}/bfp-all_error.log   CustomLog $  {APACHE_LOG_DIR}/bfp-all_access.log combined    RewriteEngine On   RewriteCond %{HTTP:Connection} Upgrade [NC]   RewriteCond %{HTTP:Upgrade} websocket [NC]   RewriteRule /(.*) ws://localhost:8050/$  1 [P,L]      ProxyRequests Off   ProxyPreserveHost On <Location />     ProxyPass "http://localhost:8050/"     ProxyPassReverse "http://localhost:8050/"     Require ip     Require ip </Location> </VirtualHost> 

I tried using Alias and (and also the directory, which seems to be already quite redundant) before the section but the requests keep going to the backend:

DocumentRoot /var/web/letsencrypt Alias /.well-known /var/web/letsencrypt/.well-known   <Directory /var/web/letsencrypt/.well-known>            Options -Indexes            Require all granted   </Directory>   <Location /.well-known>         ProxyPass !         Require all granted   </Location> 

Any ideas how I could solve this? I would have expected it to be a problem people do come across from time to time, but I haven’t found anything on the internet.