Don't serve dotfiles/hidden files except .well-known

I’m trying to come up with a Caddyfile that prevents hidden files/dotfiles (files or folders starting with .*) from being served. This alone is easy enough with a path matcher and a redirect:

redir /.* /

However, I still want Caddy to serve hidden files if they are inside of the .well-known folder – which is a common place for metadata files or DNS ownership proof.

In other webservers I can solve this with a regex that uses “negative lookahed” – something like ^\/\.(?!well-known\/). However Caddys Regex engine (Google re2) does not support negative lookahead.

So how can I achieve this?

Try this:

	@forbidden {
		not path /.well-known/*
		path /.*
	}
	redir @forbidden /

And read this: Request matchers (Caddyfile) — Caddy Documentation

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.