I’m a little bit confused by the “hide” directive. I thought it worked as you suggest, i.e., to prevent the serving of files specified in the patterns. However, from experimenting, it seems that all it does is prevent browse from showing those names in the listings. I.e., it hides the names, but not the files, which are still accessible, if you know they’re there. AFAICT, to prevent the files from being served, you need to specify them in the match directive to file_server directly:
@no_access {
not path *.log
not path *.info
not path */.*
}
file_server @no_access
And even then, all that happens is the server serves up an empty file by the fetched name, thereby exposing its presence. I’m sure there’s a way to get a 404 for the matched files, but I can’t find it.
That said, hide does prevent file_server from serving the files altogether as well. If you’re using an old version of Caddy (older than v2.3.0) then you might’ve run into trouble, there were some significant fixes made to that functionality in v2.3.0, specifically in this PR:
Okay, so this is a very typical example of my trouble with the Caddy docs. I can often find solutions to individual requirements, but I can’t figure out how to put those individual recipes together.
I already use an error handler to serve up a custom 404 page. How would I integrate your answer into this?
handle_errors {
@404 {
expression {http.error.status_code} == 404
}
handle @404 {
root * /opt/very_public/www/errorpages
rewrite * /404.html
file_server
}
# fall through to here for other errors
handle {
respond "{http.error.status_code} {http.error.status_text}" {http.error.status_code}
}
}
Yes, please upgrade to v2.3.0 and try again, the file_server directive will emit 404 errors for hidden files (which you can handler with handle_errors)
All you need probably need is this in v2.3.0:
example.com {
root * /yoursite
file_server {
hide *.log *.info */.*
}
handle_errors {
@404 expression `{http.error.status_code} == 404`
handle @404 {
root * /opt/very_public/www/errorpages
rewrite * /404.html
file_server
}
# Remove this once you use v2.4.0
# or at least once this PR is merged:
# https://github.com/caddyserver/caddy/pull/4131
respond {http.error.status_code}
}
}