1. The problem I’m having:
I am trying to load an image via img-src in the default HTML (e.g. https://website.com/index.html) and it does not load. I can browse/view the image directly, I know it is not a path issue) it just doesn’t load from the HTML. I have tried messing around with the Content-Type Header (you’ll see in my config), and other various things I have read online. After trying all of them, I still cannot figure it out. You will notice that I have the rest of my headers disabled, which is how I troubleshooted that it was the Content-Type messing me up. Any thoughts or help would be appreciative. Many thanks.
2. Error messages and/or full log output:
No error message, the image just does not show. It appears broken when viewing the HTML in a browser.
3. Caddy version:
v2.11.4
4. How I installed and ran Caddy:
I followed the main Caddy Installation Instructions.
4a. System environment:
Debian Trixie
4b. Command:
N/A
4d. My complete Caddy config:
{
# General Options
https_port 443
ocsp_stapling off
servers {
0rtt off
protocols h1 h2 h3
}
}
https://website.com {
method / GET
# Serve static files from the specified directory
root * /usr/share/caddy
file_server
# Modern TLS constraints
tls security@website.com
tls {
protocols tls1.3
}
# Security Headers (HSTS is a must for "good" TLS)
header {
# Other standard security hardening
#Access-Control-Allow-Origin "https://9defense.dev"
#Cache-Control "no-cache, no-store, must-revalidate"
#Content-Security-Policy "default-src 'self'; script-src 'self' 'strict-dynamic'; img-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; frame-src 'none'; connect-src 'self'; form-action 'self'; require-trusted-types-for 'script'; upgrade-insecure-requests"
Content-Type "text/html; image/jpeg; image/png; image/jpg; image/svg+xml; image/svg; charset=utf-8"
#Cross-Origin-Embedder-Policy "require-corp"
#Cross-Origin-Opener-Policy "same-origin"
#Cross-Origin-Resource-Policy "same-site"
#encode zstd gzip
#Expires "-1"
#Permissions-Policy "accelerometer=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(self), gyroscope=(), magnetometer=(), microphone=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), usb=(), xr-spatial-tracking=()"
#Pragma "no-cache"
#ProxyVia "block"
#Referrer-Policy "no-referrer"
#Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
#X-Content-Type-Options "nosniff"
#X-Frame-Options "DENY"
#X-Permitted-Cross-Domain-Policies "master-only"
#X-Robots-Tag "noindex, nofollow"
-Server
-Via
-X-Powered-By
}
# Configure access logging in JSON format for monitoring
log {
output file /var/log/caddy/access.log
format json
}
}
5. What I already tried, and links to relevant resources:
I pretty much tried everything I could find via Goggle and Duck Duck Go AIs.
Assistance disclosure
Post written by myself, but AI used for research.