Hiding directories on "file_server" directive

Fastidious · May 19, 2020, 4:55pm

Running Dokuwiki, would like not to expose certain directories.

It is possible to hide a directory (or multiple) using hide within the file_server directive? It doesn’t seem to be working–I know hide mentions files in the documentation. Is that a way to do it?

francislavoie · May 19, 2020, 5:10pm

Please fill out the thread template! It’s hard to help without knowing what you’ve tried or what version you’re running.

If I make some assumptions, I think you should look into request matchers:

Specifically you’ll likely want to pair the not matcher with path matchers.

Fastidious · May 19, 2020, 5:18pm

1. Caddy version (`caddy version`):

v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=

2. How I run Caddy:

I use systemd to run caddy.

a. System environment:

Ubuntu 18.04.4 LTS.

b. Command:

None.

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=www-data
Group=www-data
ExecStart=/usr/local/bin/caddy2 run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy2 reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

wiki.netbros.com {
	root * /var/www/wiki
	file_server {
		hide data/*
	}
	php_fastcgi unix//run/php/php7.2-fpm.sock

	import tlsheaders
	import encodings


	log {
		output file /var/log/caddy/wiki.netbros.com.log {
		roll_size 100mb
                roll_keep 7
                roll_keep_for 720h
		}
        }

	tls {
		protocols tls1.2
	}

}

3. The problem I’m having:

I want to deny direct access to certain directories, while allowing the application (Dokuwiki) use them.

4. Error messages and/or full log output:

None.

5. What I already tried:

I added the hide directive, it isn’t working (I assume because it is meant for files, and not directories).

6. Links to relevant resources:

N/A

francislavoie · May 19, 2020, 5:21pm

Thanks for filling out the template!

Something like this should do it:

@notData {
    not path /data/*
}
file_server @notData

Alternatively, you could return an error response when that path is requested:

respond /data/* 403

Fastidious · May 19, 2020, 5:37pm

Perfect, it works as I wanted (and expected), thanks! For future users like me, I ended up with this Caddyfile (notice the @blockit portion and call):

(encodings) {
                encode gzip
}

(tlsheaders) {
                header Strict-Transport-Security "max-age=31536000"
                header X-XSS-Protection "1; mode=block"
                header X-Content-Type-Options "nosniff"
                header X-Frame-Options "DENY"
                header -Server
}

wiki.netbros.com {
        root * /var/www/wiki
        @blockit {
                not path /data/*
                not path /conf/*
                not path /inc/*
                not path /vendor/*
        }
        file_server @blockit
        php_fastcgi unix//run/php/php7.2-fpm.sock

        import tlsheaders
        import encodings


        log {
                output file /var/log/caddy/wiki.netbros.com.log {
                roll_size 100mb
                roll_keep 7
                roll_keep_for 720h
                }
        }

        tls {
                protocols tls1.2
        }

}

system · June 18, 2020, 4:55pm

This topic was automatically closed after 30 days. New replies are no longer allowed.