Oh indeed, sorry:
~ $ curl -vL mlaparie.fr/work/
* Trying 194.36.144.124:80...
* Connected to mlaparie.fr (194.36.144.124) port 80 (#0)
> GET /work/ HTTP/1.1
> Host: mlaparie.fr
> User-Agent: curl/7.73.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://mlaparie.fr/work/
< Server: Caddy
< Date: Thu, 17 Dec 2020 15:57:29 GMT
< Content-Length: 0
<
* Closing connection 0
* Issue another request to this URL: 'https://mlaparie.fr/work/'
* Trying 194.36.144.124:443...
* Connected to mlaparie.fr (194.36.144.124) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=mlaparie.fr
* start date: Nov 20 23:06:19 2020 GMT
* expire date: Feb 18 23:06:19 2021 GMT
* subjectAltName: host "mlaparie.fr" matched cert's "mlaparie.fr"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x1f3bad0)
> GET /work/ HTTP/2
> Host: mlaparie.fr
> user-agent: curl/7.73.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200
< cache-control: no-store, no-cache, must-revalidate
< content-type: text/html;charset=utf-8
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< pragma: no-cache
< server: Caddy
< set-cookie: PHPSESSID=njfvrsu86b70qq0j7peqhvkhvm; path=/
< content-length: 2110
< date: Thu, 17 Dec 2020 15:57:30 GMT
<
<!DOCTYPE html><html class="no-js" lang="en"><head><meta charset="utf-8"><meta http-equiv="x-ua-compatible" content="ie=edge"><title>index - powered by h5ai v0.29.0 (https://larsjung.de/h5ai/)</title><meta name="description" content="index - powered by h5ai v0.29.0 (https://larsjung.de/h5ai/)"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="shortcut icon" href="/work/_h5ai/public/images/favicon/favicon-16-32.ico"><link rel="apple-touch-icon-precomposed" type="image/png" href="/work/_h5ai/public/images/favicon/favicon-152.png"><link rel="stylesheet" href="/work/_h5ai/public/css/styles.css"><link rel="stylesheet" href="//fonts.googleapis.com/css?family=Ubuntu:300,400,700%7CUbuntu+Mono:400,700" class="x-head"><style class="x-head">#root,input,select{font-family:"Ubuntu","Roboto","Helvetica","Arial","sans-serif"!important}pre,code{font-family:"Ubuntu Mono","Monaco","Lucida Sans Typewriter","monospace"!important}</style></head><body class="index" id="root"><div id="fallback-hints"><span class="backlink"><a href="https://larsjung.de/h5ai/" title="h5ai v0.29.0 - Modern HTTP web server index.">powered by h5ai</a></span></div><div id="fallback"><table><tr><th class="fb-i"></th><th class="fb-n"><span>Name</span></th><th class="fb-d"><span>Last modified</span></th><th class="fb-s"><span>Size</span></th></tr><tr><td class="fb-i"><img src="/work/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/work/data-reports/">data-reports</a></td><td class="fb-d">2017-09-14 16:44</td><td class="fb-s"></td></tr><tr><td class="fb-i"><img src="/work/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/work/presentations/">presentations</a></td><td class="fb-d">2020-11-30 13:10</td><td class="fb-s"></td></tr><tr><td class="fb-i"><img src="/work/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/work/projects/">projects</a></td><td class="fb-d">2017-08-07 01:11</td><td class="fb-s"></td></tr></table></div><* Connection #1 to host mlaparie.fr left intact
/body></html><!-- h5ai v0.29.0 - https://larsjung.de/h5ai/ -->
~ $ curl -vL mlaparie.fr/misc/
* Trying 194.36.144.124:80...
* Connected to mlaparie.fr (194.36.144.124) port 80 (#0)
> GET /misc/ HTTP/1.1
> Host: mlaparie.fr
> User-Agent: curl/7.73.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://mlaparie.fr/misc/
< Server: Caddy
< Date: Thu, 17 Dec 2020 15:57:36 GMT
< Content-Length: 0
<
* Closing connection 0
* Issue another request to this URL: 'https://mlaparie.fr/misc/'
* Trying 194.36.144.124:443...
* Connected to mlaparie.fr (194.36.144.124) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=mlaparie.fr
* start date: Nov 20 23:06:19 2020 GMT
* expire date: Feb 18 23:06:19 2021 GMT
* subjectAltName: host "mlaparie.fr" matched cert's "mlaparie.fr"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x21f4ad0)
> GET /misc/ HTTP/2
> Host: mlaparie.fr
> user-agent: curl/7.73.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200
< cache-control: no-store, no-cache, must-revalidate
< content-type: text/html;charset=utf-8
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< pragma: no-cache
< server: Caddy
< set-cookie: PHPSESSID=snl8e541vhuql4tvcn8pjpuuea; path=/
< date: Thu, 17 Dec 2020 15:57:36 GMT
<
<!DOCTYPE html><html class="no-js" lang="en"><head><meta charset="utf-8"><meta http-equiv="x-ua-compatible" content="ie=edge"><title>index - powered by h5ai v0.29.0 (https://larsjung.de/h5ai/)</title><meta name="description" content="index - powered by h5ai v0.29.0 (https://larsjung.de/h5ai/)"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="shortcut icon" href="/misc/_h5ai/public/images/favicon/favicon-16-32.ico"><link rel="apple-touch-icon-precomposed" type="image/png" href="/misc/_h5ai/public/images/favicon/favicon-152.png"><link rel="stylesheet" href="/misc/_h5ai/public/css/styles.css"><link rel="stylesheet" href="//fonts.googleapis.com/css?family=Ubuntu:300,400,700%7CUbuntu+Mono:400,700" class="x-head"><style class="x-head">#root,input,select{font-family:"Ubuntu","Roboto","Helvetica","Arial","sans-serif"!important}pre,code{font-family:"Ubuntu Mono","Monaco","Lucida Sans Typewriter","monospace"!important}</style></head><body class="index" id="root"><div id="fallback-hints"><span class="backlink"><a href="https://larsjung.de/h5ai/" title="h5ai v0.29.0 - Modern HTTP web server index.">powered by h5ai</a></span></div><div id="fallback"><table><tr><th class="fb-i"></th><th class="fb-n"><span>Name</span></th><th class="fb-d"><span>Last modified</span></th><th class="fb-s"><span>Size</span></th></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/misc/800px/">800px</a></td><td class="fb-d">2019-08-11 16:40</td><td class="fb-s"></td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/misc/gear/">gear</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s"></td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/misc/iceland/">iceland</a></td><td class="fb-d">2017-08-07 01:06</td><td class="fb-s"></td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/misc/Kittens/">Kittens</a></td><td class="fb-d">2017-08-07 01:06</td><td class="fb-s"></td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/misc/media/">media</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s"></td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/misc/N900/">N900</a></td><td class="fb-d">2017-08-07 01:06</td><td class="fb-s"></td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/001as.jpg">001as.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">399 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/17.html">17.html</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">42 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/20150419_001.jpg">20150419_001.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">425 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/20150419_003.jpg">20150419_003.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">640 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/20150419_004.jpg">20150419_004.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">632 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/%5BGroup%206%5D-IMG_2152_IMG_2164-13%20images-2.tif">[Group 6]-IMG_2152_IMG_2164-13 images-2.tif</a></td><td class="fb-d">2017-08-07 01:05</td><td class="fb-s">347803 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Coil%20whine%2020170731.mp3">Coil whine 20170731.mp3</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">694 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Conqu%C3%A9rants%20-%20Processionnaire%20du%20pin%20-%20Arte%2025.09.2013.mp4">Conquérants - Processionnaire du pin - Arte 25.09.2013.mp4</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">802964 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/DSC00462.jpg">DSC00462.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">3229 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/DSC00462Crop100.jpg">DSC00462Crop100.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">230 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/D%C3%A9part%20Crozet.MTS">Départ Crozet.MTS</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">143628 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Enfants_de_l_ocean_roadtrip_teaser.mp4">Enfants_de_l_ocean_roadtrip_teaser.mp4</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">49843 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Extatosoma.webm">Extatosoma.webm</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">8141 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/GameData-2014-05-08.7z">GameData-2014-05-08.7z</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">475705 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/IMG_2677.jpg">IMG_2677.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">189 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/IMG_3278.jpg">IMG_3278.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">5865 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Jolla-concept.png">Jolla-concept.png</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">2328 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/KSP-2014-04-21.7z">KSP-2014-04-21.7z</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">435675 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Orion%20Nebula%202.jpg">Orion Nebula 2.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">231 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Orion%20Nebula%203.jpg">Orion Nebula 3.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">639 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Orion%20Nebula.jpg">Orion Nebula.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">194 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/revealjs.png">revealjs.png</a></td><td class="fb-d">2017-08-07 01:05</td><td class="fb-s">213 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Roadtrip1-1920x1080_30fps_h264.mp4">Roadtrip1-1920x1080_30fps_h264.mp4</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">24544 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Solar%20eclipse%20%2820140320%2C%20Vik%2C%20Iceland%29_25%20FPS.mp4">Solar eclipse (20140320, Vik, Iceland)_25 FPS.mp4</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">1557 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Solar%20eclipse%202015-03-20.gif">Solar eclipse 2015-03-20.gif</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">888 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/tree.js">tree.js</a></td><td class="fb-d">2017-08-07 01:05</td><td class="fb-s">6 KB* Connection #1 to host mlaparie.fr left intact
</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Un%20jour%20%C3%A0%20Crozet%20%28PO%20SBP%29.mpg">Un jour Ă Crozet (PO SBP).mpg</a></td><td class="fb-d">2017-08-07 01:05</td><td class="fb-s">1152909 KB</td></tr></table></div></body></html><!-- h5ai v0.29.0 - https://larsjung.de/h5ai/ -->
~ $ curl -vL mlaparie.fr/misc/800px/_DSC2891s.jpg
* Trying 194.36.144.124:80...
* Connected to mlaparie.fr (194.36.144.124) port 80 (#0)
> GET /misc/800px/_DSC2891s.jpg HTTP/1.1
> Host: mlaparie.fr
> User-Agent: curl/7.73.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://mlaparie.fr/misc/800px/_DSC2891s.jpg
< Server: Caddy
< Date: Thu, 17 Dec 2020 15:57:57 GMT
< Content-Length: 0
<
* Closing connection 0
* Issue another request to this URL: 'https://mlaparie.fr/misc/800px/_DSC2891s.jpg'
* Trying 194.36.144.124:443...
* Connected to mlaparie.fr (194.36.144.124) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=mlaparie.fr
* start date: Nov 20 23:06:19 2020 GMT
* expire date: Feb 18 23:06:19 2021 GMT
* subjectAltName: host "mlaparie.fr" matched cert's "mlaparie.fr"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xe5dad0)
> GET /misc/800px/_DSC2891s.jpg HTTP/2
> Host: mlaparie.fr
> user-agent: curl/7.73.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200
< accept-ranges: bytes
< content-type: image/jpeg
< etag: "ouadhq5et1"
< last-modified: Sun, 06 Aug 2017 23:05:50 GMT
< server: Caddy
< content-length: 252469
< date: Thu, 17 Dec 2020 15:57:57 GMT
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failure writing output to destination
* stopped the pause stream!
* Connection #1 to host mlaparie.fr left intact
If I understand correctly, this shows that everything is served without authentication despite the basicauth block, correct?