No, unfortunately snippets need to be top / directive level as they’re called via import
. They can’t be used as a subdirective.
The use of status is indeed one good way of protecting sensitive files. internal
is another. In your case they’re mostly equivalent.
I would note that except /config.php
won’t protect the file, it just means Caddy will serve it directly (i.e. in plain text) instead of sending it to be processed as a PHP script and returning the result; if it’s anything like wp-config.php
, for example, it’s probably got plenty of sensitive information even in plain text. If you’re using status
to protect it, the except
subdirective won’t ever be relevant anyway; status
turns away the client long before fastcgi
operates.
Instead of redir / https://{hostonly}/
, I’d probably redirect to https://{host}{uri}
, unless you want to drop port and path information in the course of this redirect.
Lastly, I personally prefer to use the format http://example.com
rather than example.com:80
or tls off
; I think it reads a little better, is easier to recognize, and it also respects when you change the port with the command line -http-port
flag; that’s purely my preference, though.
The order of the Caddyfile is theoretically NOT important. At startup, the Caddyfile is parsed and each directive processes its own configuration blocks; each directive has a set order in the middleware chain, and the chain is always executed in that order, e.g. rewrite
always completes its operations before any redir
is executed.
Practically, the order of multiple instances of the same directive can be impactful; for example, in instances of multiple rewrite
statements, one rewrite that satisfies its if
and regex
conditions and has the first, longest base path is chosen for each request. That means multiple unconditional rewrites from /
should result in the top-most rewrite occurring each time.
This isn’t true of all directives, though, in some cases it is not relevant to pick a single configuration option, and others use different methods for matching which configuration to select for a request.
You can see the current directive ordering here - for each request, the chain is executed top-to-bottom: caddy/caddyhttp/httpserver/plugin.go at 88edca65d3b1b7fb533f5abe7c1a95a417a5d016 · caddyserver/caddy · GitHub