I want to add a forbidden block to the FrankenPHP Caddy file.
I would prefer to do it via the environment var prepared for this case, instead of providing a custom Caddyfile because it seems more update and change resistant, it’s also really easy to declare env var’s in a docker compose file.
I’m trying to use the provided $CADDY_SERVER_EXTRA_DIRECTIVES var for it.
I am struggling to get a multi lined snipped, passed along, as env var tho.
Am I just doing it wrong?
Is there a better way of achieving this?
2. Here the FrankenPHP Caddyfile
{
{$CADDY_GLOBAL_OPTIONS}
frankenphp {
#worker /path/to/your/worker.php
{$FRANKENPHP_CONFIG}
}
# https://caddyserver.com/docs/caddyfile/directives#sorting-algorithm
order mercure after encode
order vulcain after reverse_proxy
order php_server before file_server
order php before file_server
}
{$CADDY_EXTRA_CONFIG}
{$SERVER_NAME:localhost} {
#log {
# # Redact the authorization query parameter that can be set by Mercure
# format filter {
# wrap console
# fields {
# uri query {
# replace authorization REDACTED
# }
# }
# }
#}
root * public/
encode zstd br gzip
# Uncomment the following lines to enable Mercure and Vulcain modules
#mercure {
# # Transport to use (default to Bolt)
# transport_url {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db}
# # Publisher JWT key
# publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
# # Subscriber JWT key
# subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
# # Allow anonymous subscribers (double-check that it's what you want)
# anonymous
# # Enable the subscription API (double-check that it's what you want)
# subscriptions
# # Extra directives
# {$MERCURE_EXTRA_DIRECTIVES}
#}
#vulcain
{$CADDY_SERVER_EXTRA_DIRECTIVES}
php_server
}
3. Here the forbidden block from the official install instructions of DokuWiki
#Remember to comment the below forbidden block out when you're installing, and uncomment it when done.
@forbidden path /data/* /conf/* /bin/* /inc/* /install.php
handle @forbidden {
respond * 403
}
#End of the forbidden block
4. How I installed and ran Caddy:
Oficila FrankenPHP docker image
a. System environment: My Docker compose.yml
version: "3.9"
networks:
lan20:
enable_ipv6: true
name: vlan20
driver: macvlan
driver_opts:
parent: br-lan.20
ipam:
config:
- subnet: 192.168.20.0/24
gateway: 192.168.20.1
- subnet: fd19:7219:b304:20::1/60
gateway: fd19:7219:b304:20::1
- subnet: 2406:2d40:7238:9a20::1/60
gateway: 2406:2d40:7238:9a20::1
services:
dokuwiki:
image: dunglas/frankenphp
container_name: dokuwiki
environment:
# - TZ=Pacific/Auckland
- SERVER_NAME=wiki.village
- CADDY_GLOBAL_OPTIONS=local_certs
- CADDY_SERVER_EXTRA_DIRECTIVES="@forbidden path /data/* /conf/* /bin/* /inc/* /install.php \n handle @forbidden { \n respond * 403 \n }"
restart: unless-stopped
# cap_add:
# - NET_ADMIN
ports:
- "80:80"
- "443:443"
- "443:443/udp"
volumes:
- ./dokuwiki_test:/app/public
# - ./Caddyfile:/etc/caddy/Caddyfile
- dokuwiki_caddy_data:/data
- caddy_config:/config
tty: true
dns:
- "192.168.20.10"
- "192.168.20.1"
networks:
lan20:
ipv4_address: 192.168.20.20
ipv6_address: fd19:7219:b304:20::20
# ipv6_address: 2406:2d40:7238:9a20::20
volumes:
dokuwiki_caddy_data:
external: true
caddy_config:
b. Command:
docker-compose down --remove-orphans; docker-compose up -d
5. Links to relevant resources:
Here the official DokuWiki Caddy install guide.
https://www.dokuwiki.org/install:caddy