404 handling by PHP backend

1. Caddy version (caddy version):

v2.2.1 h1:Q62GWHMtztnvyRU+KPOpw6fNfeCD3SkwH7SfT1Tgt2c=

2. How I run Caddy:

I run Caddy as a web server in front of the TYPO3 Content Mangement System.
The web server runs in a Vagrant box on my machine.

a. System environment:

Ubuntu 20.04 in a VirtualBox managed by Vagrant

I run Caddy using the provided Service that comes with it when installing from the fury.io repository.

d. My complete Caddyfile or JSON config:

(fileServerOptions) {
  encode zstd gzip

  @publicPaths {
    path_regexp ^\/((typo3\/sysext|typo3conf\/ext)\/.+\/Resources\/Public|typo3temp)\/.*$
  }

  @restrictedPaths {
    path_regexp  ^\/(typo3\/sysext|typo3conf\/ext)\/.+\/Resources\/Private\/.*$
  }

  @staticFiles {
    path_regexp ^(.*)\.(?:ico|css|js|gif|jpe?g|png|woff|woff2|svg)$
  }

  file_server @publicPaths
  header @staticFiles Cache-Control max-age=2592000

  file_server /fileadmin/* {
    hide /var/www/project/web/fileadmin/_temp_/* /var/www/project/web/fileadmin/*/_temp_/* /var/www/project/web/fileadmin/_recycler_/* /var/www/project/web/fileadmin/*/_recycler_/*
  }
}

b13-caddy2.test:443 {
  root * /var/www/project/web

  tls /etc/ssl/project.crt /etc/ssl/project.key

  log {
    output file /var/log/caddy/access.log
  }

  import fileServerOptions


  php_fastcgi unix//var/run/php/php7.4-fpm.sock

  respond @restrictedPaths 404
}

3. The problem I’m having:

Everything works really fine so far. Caddy serves all files the way it should and quickly. Passing everything to PHP works great as well.

I’m trying to get Caddy to ignore all files that are not within any of the @publicPaths or /fileadmin/* (which is the standard media folder for TYPO3).

The hide directive within the fileadmin route works perfectly and so does the @restrictedPathsmatcher with the 404 response.

But at the moment only the browser’s 404 error page is shown.

For files that I did not explicitly “exclude” within the @restrictedPaths matcher (i.e. PHP package composer.json files that might be within the web root) Caddy simply returns an empty 200 response.

Since non-existant paths/files are handled by the CMS and its 404 error page both of these cases would give an attacker the possibility to find out exactly what files are present on the system.

So I effectively want all non-existant and “hidden” files to show the same 404 error page generated by the PHP CMS.

5. What I already tried:

I have fiddled around with the handle_errors directive but couldn’t get it to rewrite correctly to the correct page.
I’ve tried things like

  handle_errors {
    rewrite * /404
    file_server
  }

and the most I got was to change those 404 errors to be empty 200 Caddy responses. Presumably because Caddy tries to find a file that does not exist.

One solution I found of course is to generate a static 404.html within the web root.
Since the “content” on the 404 page might change (i.e. the header/footer/menu) though, it would be preferred to have the PHP Backend serve that page though.

So I have two questions:
1.) I could include all possible paths that should not be publicly available with more regex. Is there an easier way to catch all files not in the explicitly allowed paths and redirect them to a 404?
2.) Is it possible to have all 404 errors handled by the PHP framework? Or are static files the only possiblity for now?

This topic was automatically closed after 30 days. New replies are no longer allowed.