I would like to only server up .html files and nothing else.
4. Error messages and/or full log output:
5. What I already tried:
Reading up on Matchers & Placeholders, not_file & try_file
I think I am in the right area of thought, but very easily could be way off track.
In my head it seems simpler to allow and serve .html and not *.anything else.
At the moment I can manually, or by script make sure the directories only contain .html files but this allows for human error.
@disallowed not path / *.html *.css
redir @disallowed /
So basically, for any requests that are not either to the root of the site (i.e. /, which will be served by index.html automatically due to file_server), or ending in .html or .css, a redirect back to the root of the site will be served.
This also means any images will not be served (typically important to have, like a favicon.ico, or whatever).
This seems like a bad approach to me, I think this is a poor attempt at “security”.
To be unambiguous, the proper way to utilize a web server is to only put files in the web root that you actually want to serve.
In this scenario, when someone requests a file that isn’t .html or .css from your web server, because you didn’t put any such file there, they receive a 404. This is arguably the most “correct” response; it advises the client effectively that you have no such file to give them. This is the default functionality of a web server for this very reason.
Arbitrarily redirecting such requests to the web root index is doable, but not strictly correct behavior (outside of certain contexts, such as SPAs, I guess). It enables you to place non-.html and non-.css files in the web root should you wish to, but again, the best and most secure thing to do here to simply not put files in the web root unless you want them served.
It’s not strictly correct, when a client requests a resource, for you to redirect them to an unrelated resource.
If they want to ask your web server for some .jpeg or whatever arbitrary file, issuing a redirect explicitly indicates that the resource they requested is in another location. Redirecting them then to the web root index will end up with some very confused clients who have ended up downloading a HTML document instead of the picture they wanted. A better response is 404, which tells the client you don’t have that resource and can’t give it to them. A slightly better alternative to a redirect would be a 403 (Forbidden), which essentially states that your server is refusing to serve any such resource to the client.
It encourages bad habits.
Letting you put files in your web root that you don’t intend to serve might be doable safely but it’s a habit that will bite you in the ass if you should ever take the protections you put in place for granted. The only guarantee that a web server won’t serve a file is to not put that file in the web root. Other protections can fail, or be reconfigured by mistake, or you can simply take that habit and apply it mistakenly where it’s not appropriate (e.g. on another web server where those protections aren’t in place).