1. Caddy version (caddy version
):
v2.2.1 h1:Q62GWHMtztnvyRU+KPOpw6fNfeCD3SkwH7SfT1Tgt2c=
2. How I run Caddy:
I run Caddy as a web server in front of the TYPO3 Content Mangement System.
The web server runs in a Vagrant box on my machine.
a. System environment:
Ubuntu 20.04 in a VirtualBox managed by Vagrant
I run Caddy using the provided Service that comes with it when installing from the fury.io repository.
d. My complete Caddyfile or JSON config:
(fileServerOptions) {
encode zstd gzip
@publicPaths {
path_regexp ^\/((typo3\/sysext|typo3conf\/ext)\/.+\/Resources\/Public|typo3temp)\/.*$
}
@restrictedPaths {
path_regexp ^\/(typo3\/sysext|typo3conf\/ext)\/.+\/Resources\/Private\/.*$
}
@staticFiles {
path_regexp ^(.*)\.(?:ico|css|js|gif|jpe?g|png|woff|woff2|svg)$
}
file_server @publicPaths
header @staticFiles Cache-Control max-age=2592000
file_server /fileadmin/* {
hide /var/www/project/web/fileadmin/_temp_/* /var/www/project/web/fileadmin/*/_temp_/* /var/www/project/web/fileadmin/_recycler_/* /var/www/project/web/fileadmin/*/_recycler_/*
}
}
b13-caddy2.test:443 {
root * /var/www/project/web
tls /etc/ssl/project.crt /etc/ssl/project.key
log {
output file /var/log/caddy/access.log
}
import fileServerOptions
php_fastcgi unix//var/run/php/php7.4-fpm.sock
respond @restrictedPaths 404
}
3. The problem I’m having:
Everything works really fine so far. Caddy serves all files the way it should and quickly. Passing everything to PHP works great as well.
I’m trying to get Caddy to ignore all files that are not within any of the @publicPaths
or /fileadmin/*
(which is the standard media folder for TYPO3).
The hide directive within the fileadmin
route works perfectly and so does the @restrictedPaths
matcher with the 404 response.
But at the moment only the browser’s 404 error page is shown.
For files that I did not explicitly “exclude” within the @restrictedPaths
matcher (i.e. PHP package composer.json
files that might be within the web root) Caddy simply returns an empty 200 response.
Since non-existant paths/files are handled by the CMS and its 404 error page both of these cases would give an attacker the possibility to find out exactly what files are present on the system.
So I effectively want all non-existant and “hidden” files to show the same 404 error page generated by the PHP CMS.
5. What I already tried:
I have fiddled around with the handle_errors
directive but couldn’t get it to rewrite correctly to the correct page.
I’ve tried things like
handle_errors {
rewrite * /404
file_server
}
and the most I got was to change those 404 errors to be empty 200 Caddy responses. Presumably because Caddy tries to find a file that does not exist.
One solution I found of course is to generate a static 404.html within the web root.
Since the “content” on the 404 page might change (i.e. the header/footer/menu) though, it would be preferred to have the PHP Backend serve that page though.
So I have two questions:
1.) I could include all possible paths that should not be publicly available with more regex. Is there an easier way to catch all files not in the explicitly allowed paths and redirect them to a 404?
2.) Is it possible to have all 404 errors handled by the PHP framework? Or are static files the only possiblity for now?