V2: hide entire folder Caddyfile

HNRK · March 16, 2020, 9:26pm

1. My Caddy version (`caddy version`):

(devel) Caddyv2 latest commit: 115b877

2. How I run Caddy:

/etc/caddy/caddy run --config /etc/caddy/Caddyfile --adapter caddyfile --resume --environ

a. System environment:

Debian 10 x64 via Systemd

b. Command:

Service v2caddy start

c. Service/unit/compose file:

[Unit]
Description=Caddy v2 Web Server
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=root
Group=root
ExecStart=/etc/caddy/caddy run --config /etc/caddy/Caddyfile --adapter caddyfile --resume --environ
ExecReload=/etc/caddy/caddy reload --config /etc/caddy/Caddyfile --adapter caddyfile
TimeoutStopSec=5s
LimitNOFILE=8000000
LimitNPROC=8192

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

167.86.123.102:80, [2a02:c207:3004:1207:be:a:bad:babe]:80 {
	redir https://hnrk.io{uri} 301
}
hnrk.io, www.hnrk.io {
	root * /etc/caddy/html
	tls /etc/caddy/hnrk.io.crt /etc/caddy/hnrk.io.key
	encode brotli zstd gzip
	php_fastcgi unix//run/php/php7.4-fpm.sock
	try_files {path} {path}/index.php /index.php?{query}
	header * {
		Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "SAMEORIGIN"
	}
	file_server /md* browse
	file_server
}

mail.hnrk.io {
	root * /etc/caddy/html/rl
	tls /etc/caddy/hnrk.io.crt /etc/caddy/hnrk.io.key
	encode brotli zstd gzip
	php_fastcgi unix//run/php/php7.4-fpm.sock
	try_files {path} {path}/index.php /index.php?{query}
	header * {
		Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "SAMEORIGIN"
	}
	file_server /data {
		hide *
	}
	file_server
}

3. The problem I’m having:

Relevant config block is the “mail.hnrk.io” one!

I use Rainloop Webmail and it keeps reporting that subfolder “/data” is accessible, so I’d like to hide this entire folder from external access.

In that “/data”-folder, there is an index.php and index.html, whose content is “Forbidden”. Using double file_server directives like above config still lets me see index.html and .php in data-folder, browser says “Forbidden”.

I’ve also tried these, but still rainloop reports me the warning above:

file_server * {
	hide /data
}
file_server

____________________________________________
file_server * {
	hide /data/*
}
file_server

____________________________________________
file_server /data* {
	hide *
}
file_server

____________________________________________
file_server * {
	hide /data/*
}

6. Links to relevant resources:

Unfortunately, Rainloop documentation does not have an example config for Caddy (v2), maybe if I find a way to hide the data folder properly, I’ll propose one for them .

Thanks!

HNRK · March 16, 2020, 9:33pm

I’ve found the solution:

file_server /data/* {
	hide *
}
file_server

This works as expected and removes the warning in the adminpanel.

francislavoie · March 16, 2020, 9:53pm

An alternate solution could be to use the respond directive to return 403 on a path match. I think that would be simpler, one-liner instead.

respond /data/* "Access denied" 403

If that doesn’t work, then you might need to close the connection like this:

respond /data/* "Access denied" 403 {
	close
}

matt · March 16, 2020, 10:14pm

@HNRK

Almost all your attempts use two file servers, so I expect that the second one will overrule the first one, or something like that.

file_server {
	hide /data
}

Try that?

I also like @francislavoie’s suggestion. The subtle difference is that using respond in that configuration could tell a client that a path/file exists or may exist, whereas with “hide” the behavior is exactly identical to a “Not found” error.

francislavoie · March 16, 2020, 10:25pm

Yeah, could just return 404 instead of 403 if that matters, I was just copying the docs

HNRK · March 17, 2020, 6:56am

That is a good idea, but it first does bring back the warning in the webpanel, and second, lets me see file content of files in subdirectories again.

This works just fine! Is there a benefit to use “close” though when your first one liner works fine?

Thanks guys for your input.

matt · March 17, 2020, 3:20pm

Hrmm, that sounds like a bug, then. Like you, I would expect that to hide the /data folder. Maybe we’re not hiding an entire folder if it’s a folder.

HNRK · March 17, 2020, 4:41pm

Are you able to reproduce this behaviour on your Caddy v2 instances? If so, this may actually be a “bug”.

matt · March 17, 2020, 4:41pm

Haven’t had a chance yet, trying to finish on-demand TLS for the Caddyfile ATM. If you or someone else has a chance to dig into the code to find out why, that’d speed things along!

system · April 16, 2020, 4:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.