Running Dokuwiki, would like not to expose certain directories.
It is possible to hide a directory (or multiple) using hide
within the file_server
directive? It doesn’t seem to be working–I know hide
mentions files in the documentation. Is that a way to do it?
Please fill out the thread template! It’s hard to help without knowing what you’ve tried or what version you’re running.
If I make some assumptions, I think you should look into request matchers:
Specifically you’ll likely want to pair the not
matcher with path
matchers.
1 Like
1. Caddy version (caddy version
):
v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=
2. How I run Caddy:
I use systemd
to run caddy.
a. System environment:
Ubuntu 18.04.4 LTS.
b. Command:
None.
c. Service/unit/compose file:
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target
[Service]
User=www-data
Group=www-data
ExecStart=/usr/local/bin/caddy2 run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy2 reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddyfile or JSON config:
wiki.netbros.com {
root * /var/www/wiki
file_server {
hide data/*
}
php_fastcgi unix//run/php/php7.2-fpm.sock
import tlsheaders
import encodings
log {
output file /var/log/caddy/wiki.netbros.com.log {
roll_size 100mb
roll_keep 7
roll_keep_for 720h
}
}
tls {
protocols tls1.2
}
}
3. The problem I’m having:
I want to deny direct access to certain directories, while allowing the application (Dokuwiki) use them.
4. Error messages and/or full log output:
None.
5. What I already tried:
I added the hide
directive, it isn’t working (I assume because it is meant for files, and not directories).
6. Links to relevant resources:
N/A
1 Like
Thanks for filling out the template!
Something like this should do it:
@notData {
not path /data/*
}
file_server @notData
Alternatively, you could return an error response when that path is requested:
respond /data/* 403
2 Likes
Perfect, it works as I wanted (and expected), thanks! For future users like me, I ended up with this Caddyfile (notice the @blockit
portion and call):
(encodings) {
encode gzip
}
(tlsheaders) {
header Strict-Transport-Security "max-age=31536000"
header X-XSS-Protection "1; mode=block"
header X-Content-Type-Options "nosniff"
header X-Frame-Options "DENY"
header -Server
}
wiki.netbros.com {
root * /var/www/wiki
@blockit {
not path /data/*
not path /conf/*
not path /inc/*
not path /vendor/*
}
file_server @blockit
php_fastcgi unix//run/php/php7.2-fpm.sock
import tlsheaders
import encodings
log {
output file /var/log/caddy/wiki.netbros.com.log {
roll_size 100mb
roll_keep 7
roll_keep_for 720h
}
}
tls {
protocols tls1.2
}
}
2 Likes
system
(system)
Closed
June 18, 2020, 4:55pm
6
This topic was automatically closed after 30 days. New replies are no longer allowed.