Combining denied_folder with not_remote_ip

1. Output of caddy version:


2. How I run Caddy:

I run caddy on an an Oracle Ampere instane under systemctl

a. System environment:

Ubunutu 22.04 ARM64

b. Command:

systemctl start caddy

c. Service/unit/compose file:

Not using docker

d. My complete Caddy config:

# Main WordPress Site {
    root * /var/www/andymilne
    php_fastcgi unix//run/php/php8.1-fpm.sock
    encode zstd gzip

    header {
        # disable FLoC tracking
        Permissions-Policy interest-cohort=()
        # enable HSTS
        Strict-Transport-Security max-age=31536000;
        # disable clients from sniffing the media type
        X-Content-Type-Options nosniff
        # clickjacking protection
        X-Frame-Options DENY
        # keep referrer data off of HTTP connections
        Referrer-Policy no-referrer-when-downgrade

    @disallowed {
        path /xmlrpc.php
        path *.sql
        path /wp-content/uploads/*.php

    rewrite @disallowed '/index.php'
	@denied_folders path /wp-admin/* 
	@denied not remote_ip my_static_IP
	abort @denied

3. The problem I’m having:

I am trying to allow access to Log In ‹ Andy Milne — WordPress only from my static IP. I have tried various combinations of denied_folders and not remote_ip but I havn’t found a way to combine both. I can block all access to /wp-admin/ easily and alternately I can deny access to any IP that is not my static IP but not how to combine both. Putting both parameters on the same line produced a systemctl start error. I am guessing it is the formating and layout so any help would be great thanks assuming you can combine parameters.

4. Error messages and/or full log output:

No error message, just a way to combine both commands as 1 and 2.

5. What I already tried:

Various combinations but I am new to writing Caddy configs so I could flail around for days. I did read the documenation and did many earches but can’t find a way to combine these two parameters.

6. Links to relevant resources:


I think I might have worked it out from re reading

This works for me. Is it the correct way to do it? It looks like I can stack as many conidtions as I need and they are “AND’d” unless otherwise specified.

From this:

@denied_folders path /wp-admin/* 
	@denied not remote_ip my_static_IP
	abort @denied

To this which does work:

    @block {
	path /wp-admin/* 
	not remote_ip
    respond @block 403
1 Like

Yep, that’s the way to do it, by using a named matcher to combine them. You can still use abort btw.

1 Like

Thanks Francis. Newby question:)

This topic was automatically closed after 30 days. New replies are no longer allowed.