Iâm trying to exclude only a few directories and files from a reverse proxy. I used to be able to use âexceptâ for this in the Caddyfile in Caddy v1 but now in v2, it doesnât recognize this anymore, as the above Caddyfile doesnât parse (Error during parsing: unrecognized subdirective except)
4. What I already tried:
I have no idea how to achieve the same thing. Please help!
In Caddy v2, you now use request matchers to conditionally exclude a directive from matching a request
Specifically, I think youâre looking to set up a named matcher with the not and path matchers, to exclude the reverse_proxy from matching those paths.
Note that in Caddy v2, path matching is exact, so if you want to exclude an entire directory, make sure to append * to the path.
Also, in Caddy v2, youâll need to enable a file server explicitly, itâs no longer enabled by default like it was in v1.
And finally, the reverse_proxy in v2 automatically passes through all headers, so you donât need that header_up directive to forward the Authorization header anymore (and that syntax is no longer valid, you would need to use {http.request.header.Authorization} to get the value of the header in the request).
See the upgrade guide, it explains most of these things:
This seems a lot more complicated than it was in v1. I dont understand how the named matcher syntax would work in this Caddyfile. Can you provide an example on how to achieve this with the few local folders I want to exclude? It doesnât make sense like it used to with the exclude directive.
Itâs not â it only looks complicated because, from what I can tell, you went into v2 assuming it was the same as v1 (for example, assuming that reverse_proxy was the same and had an except subdirective in v2 and that placeholders were all the same). Our upgrade guide can help, and it suggests basically starting with a fresh slate (i.e. not carrying over past assumptions): Upgrading to Caddy 2 â Caddy Documentation
The changes you need to make probably amount to about 2 lines.
@notThese not path /local/dir1* /local/dir2* /localdir3/* local/file.db
reverse_proxy @notThese 192.168.1.2:3456
@notThese not path /local/dir1* /local/dir2* /localdir3/* local/file.db
@jfirestorm44 might be right about needing a block, I know in v2.1 (not yet released) you should be able to single-line it. Anyway, make sure not to lose those crucial tokens.
I can still easily access a file on https://my.domain.name/local/dir1/script.js when it really shouldnât allow it to proxy that. Caddy V1 had no issues with this when using the exclude directive and that js file would be inaccessible in my browser. Are there more typos in my Caddyfile above?
I can also recommend using the caddy fmt command, itâll fix the tabbing in your Caddyfile and make it easier to follow.
If youâre trying to exclude those paths to serve files that exist on disk, then youâll need a file_server directive. Caddy v1 implicitly enabled a file server, but in Caddy v2 you need to enable it explicitly. You might also need to specify the site root with root so that Caddy knows where to look on disk for the files.
Using your exact Caddyfile example, this is the result:
root@caddy:~# /root/caddy run --config /root/caddytest
2020/05/30 04:51:43.519 INFO using provided configuration {"config_file": "/root/caddytest", "config_adapter": ""}
run: loading initial config: decoding request body: invalid character ':' looking for beginning of value
root@caddy:~# /root/caddy run --config /root/Caddyfile2 --adapter caddyfile
2020/05/30 18:50:20.133 INFO using provided configuration {"config_file": "/root/Caddyfile2", "config_adapter": "caddyfile"}
2020/05/30 18:50:20.135 INFO admin admin endpoint started {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["[::1]:2019", "127.0.0.1:2019", "localhost:2019"]}
2020/05/30 18:50:20.136 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2020/05/30 13:50:20 [INFO][cache:0xc0005597c0] Started certificate maintenance routine
2020/05/30 18:50:20.137 INFO tls cleaned up storage units
2020/05/30 18:50:20.137 INFO http enabling automatic TLS certificate management {"domains": ["my.domain.name"]}
2020/05/30 18:50:20.145 INFO autosaved config {"file": "/root/.config/caddy/autosave.json"}
2020/05/30 18:50:20.145 INFO serving initial configuration
The reverse proxy works just fine, but again, I can STILL access files that should have been excluded. Thereâs a .js file that I can view in plaintext that includes private information. In Caddy V1, using the except directive as described in OP, this was impossible as the file would not be accessible.
The test that I do is type into my browser (in private mode so that nothing gets cached): https://my.domain.name/local/dir1/script.js
What I expect and WANT to happen is that I either get a 403 Forbidden error or it just wonât load anything. Instead, currently I get to see the full contents of this .js file, which includes information that shouldnât be public, despite putting it in the @excludeDirs.
Why is this so hard in V2 now when it was so simple and straightforward in V1? This seems like a regression if Iâm being honest. Iâd love to be proven wrong however, and I really just want these folders to not be proxied recursively.
Going to try to help here. As @francislavoie said above youâll need to enable file_server. That may be part of the problem. I donât know v1 but from what I gather it was automatically enabled. In v2 you have to enable it. I donât see it in your file.
nas.mydomain.duckdns.org {
log {
output file /var/log/caddy/nas.log
format console
}
root * /srv/dev-disk-by-label-HomeDrive/
@noAccess {
not path "*/My Pictures/*"
not path */RESTRICTED/*
not path "/config files/Caddy2/caddyfilenas.txt"
}
file_server @noAccess browse {
hide RESRICTED "My Pictures"
}
encode gzip
basicauth {
username (hashbrown64)
}
}
Be sure if you folders/filenames have a space in them that you use quotes. As you see in mine I had to completely wrap the 1st and 3rd ânot pathâ in quotes because of white space contained in them. The 2nd one didnât need quotes.
Also I chose to not only deny access but hide two of the folders also. This does however hide them from me also when accessing through a browser. I can still get them if I go directly to the hard drive from my windows PC.
EDIT: Be sure to clear you browser cache after reloading your new config. I had an issue where the caddyfilenas.txt kept allowing me to see if even though I shouldnât have been able to. Once I cleared the cookies/cache I could no longer access it.
I re-did some tests and it looks like itâs actually working now. I used a line for each intro for not path, like @jfirestorm44 did. Not sure if thatâs what the issue was but it works now! Thanks for the help everyone.
For documentation sake, I think it would be helpful to add this in the docs, a short tutorial on how to exclude directories and files for a reverse-proxy.
