File server hiding files

pgf · April 25, 2021, 4:15pm

I’m a little bit confused by the “hide” directive. I thought it worked as you suggest, i.e., to prevent the serving of files specified in the patterns. However, from experimenting, it seems that all it does is prevent browse from showing those names in the listings. I.e., it hides the names, but not the files, which are still accessible, if you know they’re there. AFAICT, to prevent the files from being served, you need to specify them in the match directive to file_server directly:

@no_access {
    not path *.log
    not path *.info
    not path */.*
}
file_server @no_access

And even then, all that happens is the server serves up an empty file by the fetched name, thereby exposing its presence. I’m sure there’s a way to get a 404 for the matched files, but I can’t find it.

paul

francislavoie · April 25, 2021, 4:26pm

@pgf The way to make it serve a 404 is by using respond:

@no_access path *.log *.info */.*
respond @no_access "Not Found" 404

That said, hide does prevent file_server from serving the files altogether as well. If you’re using an old version of Caddy (older than v2.3.0) then you might’ve run into trouble, there were some significant fixes made to that functionality in v2.3.0, specifically in this PR:

pgf · April 25, 2021, 4:34pm

Thanks!

Okay, so this is a very typical example of my trouble with the Caddy docs. I can often find solutions to individual requirements, but I can’t figure out how to put those individual recipes together.

I already use an error handler to serve up a custom 404 page. How would I integrate your answer into this?

handle_errors {
    @404 {
            expression {http.error.status_code} == 404
    }
    handle @404 {
            root * /opt/very_public/www/errorpages
            rewrite * /404.html
            file_server
    }
    # fall through to here for other errors
    handle {
       respond "{http.error.status_code} {http.error.status_text}" {http.error.status_code}
    }
}

pgf · April 25, 2021, 4:42pm

It seems I’m running 2.2.3. So you’re suggesting that the behavior I’m seeing is to be expected, pre-2.3.0, and that “hide” now hides the contents?

paul

francislavoie · April 25, 2021, 4:50pm

For that you’ll need to wait until v2.4.0. There’s a couple relevant things:

An error directive is being added, which allows you to manually trigger an error using matchers httpcaddyfile: Add `error` directive for the existing handler by francislavoie · Pull Request #4034 · caddyserver/caddy · GitHub
There’s a bug with error fallthrough which I just worked on a fix for yesterday caddyhttp: Fix fallback for the error handler chain by francislavoie · Pull Request #4131 · caddyserver/caddy · GitHub, which will let you remove that last bit in your handle_errors

Yes, please upgrade to v2.3.0 and try again, the file_server directive will emit 404 errors for hidden files (which you can handler with handle_errors)

All you need probably need is this in v2.3.0:

example.com {
	root * /yoursite
	file_server {
		hide *.log *.info */.*
	}

	handle_errors {
		@404 expression `{http.error.status_code} == 404`
		handle @404 {
			root * /opt/very_public/www/errorpages
			rewrite * /404.html
			file_server
		}

		# Remove this once you use v2.4.0
		# or at least once this PR is merged: 
		# https://github.com/caddyserver/caddy/pull/4131
		respond {http.error.status_code}
	}
}

pgf · April 25, 2021, 6:05pm

Thank you very much. After upgrading, it all works fine.

system · May 25, 2021, 4:15pm

This topic was automatically closed after 29 days. New replies are no longer allowed.