Caddy rewrite fails with php

1. Output of caddy version:

caddy-2.5.2-r4

2. How I run Caddy:

I am running caddy with the included config inside of alpine 3.16.2:
/etc/init.d/caddy

#!/sbin/openrc-run
supervisor=supervise-daemon

name="Caddy web server"
description="Fast, multi-platform web server with automatic HTTPS"
description_checkconfig="Check configuration"
description_reload="Reload configuration without downtime"

: ${caddy_opts:="--config /etc/caddy/Caddyfile --adapter caddyfile"}

command=/usr/sbin/caddy
command_args="run $caddy_opts"
command_user=caddy:caddy
extra_commands="checkconfig"
extra_started_commands="reload"

depend() {
	need net localmount
	after firewall
}

checkconfig() {
	ebegin "Checking configuration for $name"
	su ${command_user%:*} -s /bin/sh -c "$command validate $caddy_opts"
	eend $?
}

reload() {
	ebegin "Reloading $name"
	su ${command_user%:*} -s /bin/sh -c "$command reload $caddy_opts"
	eend $?
}

stop_pre() {
	if [ "$RC_CMD" = restart ]; then
		checkconfig || return $?
	fi
}

a. System environment:

Linux web01 5.15.74-0-virt #1-Alpine SMP Sat, 15 Oct 2022 18:26:49 +0000 x86_64 Linux

Alpine virtual image running under qemu.

b. Command:

service caddy start

c. Service/unit/compose file:

#!/sbin/openrc-run
supervisor=supervise-daemon

name="Caddy web server"
description="Fast, multi-platform web server with automatic HTTPS"
description_checkconfig="Check configuration"
description_reload="Reload configuration without downtime"

: ${caddy_opts:="--config /etc/caddy/Caddyfile --adapter caddyfile"}

command=/usr/sbin/caddy
command_args="run $caddy_opts"
command_user=caddy:caddy
extra_commands="checkconfig"
extra_started_commands="reload"

depend() {
	need net localmount
	after firewall
}

checkconfig() {
	ebegin "Checking configuration for $name"
	su ${command_user%:*} -s /bin/sh -c "$command validate $caddy_opts"
	eend $?
}

reload() {
	ebegin "Reloading $name"
	su ${command_user%:*} -s /bin/sh -c "$command reload $caddy_opts"
	eend $?
}

stop_pre() {
	if [ "$RC_CMD" = restart ]; then
		checkconfig || return $?
	fi
}

d. My complete Caddy config:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane. →

Paste yoapps.gocloud.sh {
	root * /www
	file_server {
		precompressed zstd br gzip
	}
	tls thomas@munn.me
	log {
		output file /home/caddy/logs/apps.log {
			roll_keep 7
			roll_keep_for 14d
		}
	}
	encode {
		gzip 9
		zstd
	}
}
recipe.munn.me {
	root * /recipe
	file_server {
		precompressed zstd br gzip
	}
	tls thomas@munn.me
	log {
		output file /home/caddy/logs/recipes.log {
			roll_keep 7
			roll_keep_for 14d
		}
	}
	encode {
		zstd
	}
}
grav.munn.me {
	root * /grav
	file_server
	php_fastcgi 127.0.0.1:9000
	tls thomas@munn.me
	log {
		output file /home/caddy/logs/grav.log {
			roll keep 7
			roll_keep_for 14d
		}
	}
	encode {
		zstd
		gzip
	}
	rewrite /(\.git|cache|bin|logs|backups|tests)/.* /403
	rewrite /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ /403
	rewrite /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ /403
	rewrite /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) /403
	respond /403 403
}

abbr.munn.me {
	root * /polr/public
	file_server
	php_fastcgi 127.0.0.1:9000
	tls thomas@munn.me
	log {
		output file /home/caddy/logs/polr.log {
			roll keep 7
			roll_keep_for 14d
		}
	}
	encode {
		zstd
		gzip
	}
	rewrite /(\.git|cache|bin|logs|backups|tests)/.* /403
	rewrite /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ /403
	rewrite /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ /403
	rewrite /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) /403
	respond /403 403
	try_files {path} {path}/ /index.php?_url={uri}&{query}
}
calendar.munn.me {
	log {
		output file /home/caddy/logs/calendar.log {
			roll keep 7
			roll_keep_for 14d
		}
		level debug
	}
	redir /radicale /radicale/
	handle /radicale/* {
		uri strip_prefix /radicale
	}
	reverse_proxy localhost:5232 {
		header_up X-Script-Name /radicale
	}
}

3. The problem I’m having:

Mainly the rewrite blocks on grav.munn.me don’t seem to be working. I was wondering if someone could help as to why they aren’t working. Everything is ‘working’, just the rewrites aren’t properly blocking the items I thought they would.

4. Error messages and/or full log output:

{"level":"info","ts":1666649360.2506092,"logger":"http.log.access.log2","msg":"handled request","request":{"remote_ip":"68.93.137.145","remote_port":"64583","proto":"HTTP/2.0","method":"GET","host":"grav.munn.me","uri":"/user/grav.munn.me/config/system.yaml","

5. What I already tried:

Mainly what you see in my config file. Its supposed to provide 403’s for any of the .yaml whatnot, but for some reason doesn’t stop them from being sent.

6. Links to relevant resources:

If you want to use regular expressions, you must use a named matcher to use the path_regexp matcher. Inline matchers starting with a / use the path matcher, which is pattern-based, not regular expressions.

This topic was automatically closed after 30 days. New replies are no longer allowed.