I’m a little bit confused by the “hide” directive. I thought it worked as you suggest, i.e., to prevent the serving of files specified in the patterns. However, from experimenting, it seems that all it does is prevent browse from showing those names in the listings. I.e., it hides the names, but not the files, which are still accessible, if you know they’re there. AFAICT, to prevent the files from being served, you need to specify them in the match directive to file_server directly:
not path *.log
not path *.info
not path */.*
And even then, all that happens is the server serves up an empty file by the fetched name, thereby exposing its presence. I’m sure there’s a way to get a 404 for the matched files, but I can’t find it.
That said, hide does prevent file_server from serving the files altogether as well. If you’re using an old version of Caddy (older than v2.3.0) then you might’ve run into trouble, there were some significant fixes made to that functionality in v2.3.0, specifically in this PR: