Can’t serve PHP files outside of /var/www/website directory

Faket · March 2, 2026, 7:50am

Hello all, I’m new on Caddy, trying to get my new VPS working.

1. The problem I’m having:

I try to serve some PHP websites with my new Caddy.

What’s working :

I can serve static websites from my home directory, with a symbolic link from /var/www/ ;
I can serve PHP websites from /var/www/ directly ;
But I can’t serve PHP websites with a symbolic link from /var/www/.

I tried to change files permissions, I tried to put all to caddy:caddy, this doesn’t change, all I got is a `File not found.` error on my browser.

2. Error messages and/or full log output:

I don’t have any error message here.

3. Caddy version:

v2.11.1 h1:C7sQpsFOC5CH+31KqJc7EoOf8mXrOEkFyYd6GpIqm/s=

4. How I installed and ran Caddy:

a. System environment:

Debian 13, amd64, standalone installation.

b. Command:

caddy start

c. My complete Caddy config:

For this website :

WEBURL {
        root * /home/USER/websites/nuage
        encode
        log {
                output file /var/log/caddy/WEBURL.log
                format console
        }
        php_fastcgi unix//run/php/php-fpm.sock
        file_server
        # Prevent access to dot-files, except .well-known
        @dotFiles {
                path */.*
                not path /.well-known/*
        }
}

Thank you for your help.

francislavoie · March 3, 2026, 1:07am

It’s normal to not be able to serve from /home. Caddy runs as the caddy user, which doesn’t have permission to read into the HOME of other users.

This is because the /home/youruser directory has drwxr-x--- permissions which means only youruser or yourgroup can read or traverse into it (x permission is needed on directory to enter it).

In Linux, every directory all the way up the chain needs to have x for that user to be able to “see” things. And most of the time, the home directory itself is what gates it. It’s an intentional security mechanism to prevent just any software from reading user files unless granted.

You should serve your site from /srv or /var/www, that’s standard.

Faket · March 3, 2026, 6:21am

Oh yeah, that’s that… Thank you for your answer and sorry for this, I checked the permissions but not on my /home dir.

But I don’t understand why it’s working with my static files websites then. Does Caddy have acces and not php-fpm ?

I’d gladly serve from /var/www, but what are your recommendations on how access those directory by SSH ? Should I give my user the right to edit them and that’s good ?

francislavoie · March 3, 2026, 10:31am

Files for your site should likely be owned by the www-data user (the caddy user is in the www-data group so it can also read files owned by that group). I think php-fpm also runs as www-data by default.

Faket · March 3, 2026, 11:07am

Thank you four your clarifications.

But I still have my question, why can I have my static websites inside my own home directory, but not my dynamic websites ?

And what’s the good practices about where and how to put the files on my server. Until now I use my account (by ssh ofc) and push my files directly in my home. Should I use another user to do that and push them directly on the /var/www directory ?

pothi · March 4, 2026, 3:42pm

In order to execute PHP files (irrespective of the location), those files must have read/execute permission by the user that runs php-fpm. This is in addition to read permission for Caddy (user).

I am not sure about the best practices, however I keep all files on /home/user/sites/example.com/public and give read-only permission for both Caddy user and php-fpm user. I also have /home/user/{backups,log,scripts} directories to manage the sites. I host mostly WordPress sites. This dir structure helps me to host multiple sites using the same user. This is not a recommended config. If a site gets infected by a malware, it can affect other sites hosted alongside. I am only sharing what works for a particular usecase. YMMV.

Faket · March 5, 2026, 11:03am

Thank you for your answer. I understand that now. But I still need to dig a bit to understand what’s happening on my server ^^’
According to my permissions :

755 caddy:caddy /home/USER/websites/SITE/
755 USER:USER /home/USER/websites/
700 USER:USER /home/USER/
777 root:root /var/www/SITE → /home/USER/websites/SITE/

As I understand it, caddy should not be able to access my site, because of the 700 on my home. But for static sites it’s working, and not for dynamic sites.

If I change my home to :

755 USER:USER /home/USER

then it’s working (at least the reading part from php-fpm).

For the best practices part, I usually have all my websites in my /home/USER/websites/ directory, so I can push them by ssh with my user account. Should I change this practice ? As I understand it from @francislavoie messages, I should put all my websites directly to /var/www, not with a symbolic link, and owned by www-data (or caddy). Thus, I should push them by a caddy ssh account, right ?