I am trying to disallow browsing a certain directory and its files directly (let’s say /uploads/images) while the server should have access to the files there. The corresponding apache config would be:
Options -Indexes
deny from all
<FilesMatch '\.(jpg|png|gif|mp3|ogg)
How does this translate to caddy? As for my understanding caddy disallows browsing/indexing directories by default so this works out of the box, but how about the “deny from all…” part?
internal /uploads/images
works but doesn’t allow the server to access the file, obviously.
What does it mean for the server to still be able to access the file, exactly?
internal will disallow any external client from requesting the file from the server, but Caddy will be able to request the file from itself. Contrast with status 404 /uploads/images, which tells Caddy to return a 404 for any request to those resources.
Thanks @Whitestrake. Actually I’m trying to achieve just that
internal will disallow any external client from requesting the file from the server, but Caddy will be able to request the file from itself.
So, internal /uploads/images should do what I am looking for but actually if I use that directive, wordpress won’t show the images in the backend (console logs 404 errors) and additionally throws a 404 error in the frontend as well.
Trying to open the images directly/via the browser also results in 404 – that is expected of course. However, the server / wordpress should be able to access the files, right?
Could this be a permissions issue or am I doing something wrong?
All three of these are the same thing. The server can access them, but the server isn’t allowing you to access them.
You can’t see them in the backend because WordPress tells your browser to fetch the image and you get rejected because your browser is not internal. The frontend is the same - tells your browser to fetch the image and display it in the page, and your browser gets rejected.
Opening the images via browser directly - self explanatory. Denied - your browser is not internal.