Note: Got a message that this post was flagged as inappropriate and had to wait ten minutes to edit. For the life of me I have no idea what was inappropriate. Hope it gets through on this re-edit!
1. Caddy version (caddy version
):
v2.5.1 h1:bAWwslD1jNeCzDa+jDCNwb8M3UJ2tPa8UZFFzPVmGKs=
2. How I run Caddy:
a. System environment:
Ubuntu 22.04 LTS
Linux 5.15.0-39-generic #42-Ubuntu SMP Thu Jun 9 23:42:32 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
PHP 8.1 fpm
b. Command:
Runs via systemd service. See service file below.
/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
c. Service/unit/compose file:
Systemd caddy.service
file.
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=www-data
Group=www-data
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddyfile or JSON config:
Caddyfile:
{
email monitor@my.site
debug
}
(cloudflare-tls) {
tls {
dns cloudflare "<redacted>"
}
}
import /etc/caddy/snippets/*.conf
import /etc/caddy/sites-enabled/*.conf
# Default site.
:80 {
root * /srv/default
file_server
}
# vim: ts=8 sw=8 noexpandtab
And sites-enabled/my.site.conf
my.site {
import cloudflare-tls
root * /srv/my.site
file_server
php_fastcgi unix//var/run/php/php8.1-fpm.sock
@forbidden {
path /.htaccess
path /.hg
path /.hg/*
path /_private/*
path /.ht*
path /.user*
}
respond @forbidden 404
}
# vim: ts=8 sw=8 noexpandtab
No other config files.
3. The problem I’m having:
In short, URLs like https://my.site/foo.php
and https://my.site/foo.php/
work fine, but https://my.site/foo.php/some/path
returns a HTTP 403 (forbidden) response with the body of, “Access denied.”
I believe this response is being produced by the PHP 8.1 fpm service (see error log in section 4 below.)
The expectation is that PHP fpm would run the foo.php
file with /some/path
as the PATH_INFO value.
4. Error messages and/or full log output:
When attempting to access the URL above, the following error message is generated in the /var/log/php8.1-fpm.log
file:
WARNING: [pool www] child 44554 said into stderr: "NOTICE: Access to the script '/srv/my.site/some/path' has been denied (see security.limit_extensions)"
Debug log output from Caddy is:
caddy[60184]: {"level":"debug","ts":1655903013.2011309,"logger":"http.handlers.rewrite","msg":"rewrote request","request":{"remote_ip":"127.0.0.1","remote_port":"58528","proto":"HTTP/2.0","method":"GET","host":"my.site","uri":"/foo.php/some/path","headers":{"User-Agent":["curl/7.81.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"my.site"}},"method":"GET","uri":"/foo.php"}
caddy[60184]: {"level":"debug","ts":1655903013.201183,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"/var/run/php/php8.1-fpm.sock","total_upstreams":1}
caddy[60184]: {"level":"debug","ts":1655903013.201319,"logger":"http.reverse_proxy.transport.fastcgi","msg":"roundtrip","request":{"remote_ip":"127.0.0.1","remote_port":"58528","proto":"HTTP/2.0","method":"GET","host":"my.site","uri":"/foo.php","headers":{"User-Agent":["curl/7.81.0"],"Accept":["*/*"],"X-Forwarded-For":["127.0.0.1"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["my.site"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"my.site"}},"dial":"/var/run/php/php8.1-fpm.sock","env":{"AUTH_TYPE":"","CONTENT_LENGTH":"","SCRIPT_FILENAME":"/srv/my.site/foo.php","SCRIPT_NAME":"/foo.php","SSL_CIPHER":"TLS_AES_128_GCM_SHA256","QUERY_STRING":"","REMOTE_USER":"","REQUEST_METHOD":"GET","HTTP_HOST":"my.site","HTTPS":"on","PATH_TRANSLATED":"/srv/my.site/some/path","REMOTE_ADDR":"127.0.0.1","SERVER_PROTOCOL":"HTTP/2.0","SERVER_SOFTWARE":"Caddy/v2.5.1","DOCUMENT_URI":"/foo.php","REQUEST_URI":"/foo.php/some/path","REMOTE_IDENT":"","SERVER_NAME":"my.site","GATEWAY_INTERFACE":"CGI/1.1","PATH_INFO":"/some/path","REMOTE_PORT":"58528","HTTP_ACCEPT":"*/*","HTTP_X_FORWARDED_HOST":"my.site","REMOTE_HOST":"127.0.0.1","SERVER_PORT":"443","SSL_PROTOCOL":"TLSv1.3","CONTENT_TYPE":"","DOCUMENT_ROOT":"/srv/my.site","HTTP_USER_AGENT":"curl/7.81.0","HTTP_X_FORWARDED_FOR":"127.0.0.1","HTTP_X_FORWARDED_PROTO":"https","REQUEST_SCHEME":"https"}}
caddy[60184]: {"level":"debug","ts":1655903013.2017865,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"unix//var/run/php/php8.1-fpm.sock","duration":0.000571739,"request":{"remote_ip":"127.0.0.1","remote_port":"58528","proto":"HTTP/2.0","method":"GET","host":"my.site","uri":"/foo.php","headers":{"X-Forwarded-For":["127.0.0.1"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["my.site"],"User-Agent":["curl/7.81.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"my.site"}},"headers":{"Status":["403 Forbidden"],"Content-Type":["text/html; charset=UTF-8"]},"status":403}
5. What I already tried:
I’ve been banging my head against this for a day and a bit. I’ve tried using the expanded form of the php_fastcgi
directive with bits chopped out.
Tried changing the @phpFiles
bit to
@phpFiles path_regexp \.php($|/)
Tried adding either:
@phpWithPaths path_regexp phpWithPathsRegex ^(.*\.php)/.+$
redir @phpWithPaths {re.phpWithPathsRegex.1} 308
or
@phpWithPaths path_regexp phpWithPathsRegex ^(.*\.php)/.+$
rewrite @phpWithPaths {re.phpWithPathsRegex.1}
But nothing seems to get it sorted.