It looks like it allows you to specify a base path to work on, e.g. ipfilter /foo { ... }. Replace /foo with the folder you want to whitelist LAN access for.
Filemanager comes with the path “/files”, how to configured path of ipfilter.
This problem is bothering me, rewriteonly used uri has not used starts_with.
The base path works on the path as requested by the client - the path you see in the browser. How filemanager works is irrelevant; ipfilter works if the path in the browser URL bar matches the path you write in the Caddyfile.
Specifically, the URI requested by the client; ipfilter operates before proxies or rewriting can occur, so it always operates on the initial URI received by Caddy.
For the security of the win server, wrote the following code:
# Begin - Security
# ipfilter rule
ipfilter /api/users /api/settings {
rule allow
ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
}
# status
status 403 /forbidden
# deny all direct access for these folders
rewrite {
if_op or
if {uri} has Recycle
if {uri} has RECYCLE
if {uri} has PerfLogs
if {uri} has Program # Program_Files|Program_Files_(x86)|ProgramData
if {uri} has Recovery
if {uri} has System
if {uri} has Users
if {uri} has Windows
if {uri} has caddy
to /forbidden
}
# deny running files
rewrite {
if_op or
if {uri} has boot
if {uri} has Documents
if {uri} has Pagefile
if {uri} has .clp
if {uri} has .com
if {uri} has .dll
if {uri} has .drv
if {uri} has .exe
if {uri} has .ini
if {uri} has .pif
if {uri} has .rec
if {uri} has .sys
to /forbidden
}
# deny running scripts inside core system folders
rewrite {
regexp /($Recycle.Bin|$RECYCLE.BIN|PerfLogs|Program_Files|Program_Files_(x86)|ProgramData|Recovery|System_Volume_Information|Windows)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat|ini)$
to /forbidden
}
# deny running scripts inside user folder
rewrite {
regexp /Users/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat|ini)$
to /forbidden
}
# deny access to specific files in the root folder
rewrite {
regexp /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess)
to /forbidden
}
## End - Security
If you’re after advice on that Caddyfile, here’s my two cents:
I am assuming, based on the things you’re trying to block, that you’re going to be running filemanager with access to your entire file system. This is a completely backwards way to secure any server, let alone a Windows server.
You wasted your time by writing that Caddyfile (which seems mostly copied from the app-specific Grav example Caddyfile) if you expect it to adequately protect your entire file system from an attacker.
My strong recommendation is to throw it all out, rethink your security strategy for file sharing (exposing everything and then scrambling to cover up exploitable content is insane), and start over with something simpler with a secure-by-default approach.
There are a number of inefficiencies such as the overuse of blanket {uri} has checks and unnecessary reliance on regex… But, generally speaking, there’s nothing in your Caddyfile that I expect not to function as you’ve written it.
I also think there is a problem with this method.
The plugin (filemanager) has too high permissions. It has a beautiful interface, It is easy to access, just only one password. It has one parameter:
scope is the path, relative or absolute, to the directory you want to browse in. Defaults to ./.
Someone will get admin password, then modify scope on the web page, someone can add and delete windows system folders.
I hope scope written in caddyfile can not be changed through the web page. Just like it is not possible to modify caddyfile through the web page.
I want to specify the scope of filemanager by caddyfile. It cannot be modified by filemanager. Must be modified by caddyfile. Caddyfile can only be modified by Intranet.
Now, ipfilter solved the problem of caddyfile LAN access. The author of filemanager suggested running caddy by created a low-level permission win account.
I really don’t know which way is more reasonable.
Update2
Folder structure: C:.…\Desktop\www\test, All the files needs to share are in test folder.
:80 {
root C:\...\Desktop\www
gzip
log stdout
drrors stdout
ipfilter /api/users /api/settings {
rule allow
ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
}
status 403 /forbidden
rewrite {
if {path} ends_with resource/
to /api/resource/test
}
rewrite {
if_op and
if {path} has resource
if {path} not_ends_with resource/
if {path} not_has test
to /forbidden
}
rewrite {
ext .asp .bat .cgi .clp .com .conf .config .dll .drv .exe .htaccess .html .ini .js .json .lock .md .php .pif .pl .ps1 .py .rec .sh .sys .twig .vbs .wsf .wsh .xml .yaml
to /forbidden
}
filemanager / C:\...\Desktop\www {
database C:\...\Desktop\caddy\filemanager.db
}
}
The intranet has permission to see the scope modification page (/api/users /api/settings).
All file browsing requestes are rewrite to the “test” folder, In the internal network, obtain the admin password of filemanager to modify the scope like C:/, display nothing and 403.
There is a drawback, one more level of directory.
How to block “no extension file”?
I feel this is a positive way. Please make some suggestions again. Thx so much.