V2: hide entire folder Caddyfile

1. My Caddy version (caddy version):

(devel) Caddyv2 latest commit: 115b877

2. How I run Caddy:

/etc/caddy/caddy run --config /etc/caddy/Caddyfile --adapter caddyfile --resume --environ

a. System environment:

Debian 10 x64 via Systemd

b. Command:

Service v2caddy start

c. Service/unit/compose file:

[Unit]
Description=Caddy v2 Web Server
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=root
Group=root
ExecStart=/etc/caddy/caddy run --config /etc/caddy/Caddyfile --adapter caddyfile --resume --environ
ExecReload=/etc/caddy/caddy reload --config /etc/caddy/Caddyfile --adapter caddyfile
TimeoutStopSec=5s
LimitNOFILE=8000000
LimitNPROC=8192

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

167.86.123.102:80, [2a02:c207:3004:1207:be:a:bad:babe]:80 {
	redir https://hnrk.io{uri} 301
}
hnrk.io, www.hnrk.io {
	root * /etc/caddy/html
	tls /etc/caddy/hnrk.io.crt /etc/caddy/hnrk.io.key
	encode brotli zstd gzip
	php_fastcgi unix//run/php/php7.4-fpm.sock
	try_files {path} {path}/index.php /index.php?{query}
	header * {
		Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "SAMEORIGIN"
	}
	file_server /md* browse
	file_server
}

mail.hnrk.io {
	root * /etc/caddy/html/rl
	tls /etc/caddy/hnrk.io.crt /etc/caddy/hnrk.io.key
	encode brotli zstd gzip
	php_fastcgi unix//run/php/php7.4-fpm.sock
	try_files {path} {path}/index.php /index.php?{query}
	header * {
		Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "SAMEORIGIN"
	}
	file_server /data {
		hide *
	}
	file_server
}

3. The problem I’m having:

Relevant config block is the “mail.hnrk.io” one!

I use Rainloop Webmail and it keeps reporting that subfolder “/data” is accessible, so I’d like to hide this entire folder from external access.

image

In that “/data”-folder, there is an index.php and index.html, whose content is “Forbidden”. Using double file_server directives like above config still lets me see index.html and .php in data-folder, browser says “Forbidden”.

I’ve also tried these, but still rainloop reports me the warning above:

file_server * {
	hide /data
}
file_server

____________________________________________
file_server * {
	hide /data/*
}
file_server

____________________________________________
file_server /data* {
	hide *
}
file_server

____________________________________________
file_server * {
	hide /data/*
}

6. Links to relevant resources:

Unfortunately, Rainloop documentation does not have an example config for Caddy (v2), maybe if I find a way to hide the data folder properly, I’ll propose one for them :stuck_out_tongue:.

Thanks!

I’ve found the solution:

file_server /data/* {
	hide *
}
file_server

This works as expected and removes the warning in the adminpanel. :smiley:

1 Like

An alternate solution could be to use the respond directive to return 403 on a path match. I think that would be simpler, one-liner instead.

respond /data/* "Access denied" 403

If that doesn’t work, then you might need to close the connection like this:

respond /data/* "Access denied" 403 {
	close
}
2 Likes

@HNRK

Almost all your attempts use two file servers, so I expect that the second one will overrule the first one, or something like that.

file_server {
	hide /data
}

Try that?

I also like @francislavoie’s suggestion. The subtle difference is that using respond in that configuration could tell a client that a path/file exists or may exist, whereas with “hide” the behavior is exactly identical to a “Not found” error.

2 Likes

Yeah, could just return 404 instead of 403 if that matters, I was just copying the docs :smile:

That is a good idea, but it first does bring back the warning in the webpanel, and second, lets me see file content of files in subdirectories again.

This works just fine! :smiley: Is there a benefit to use “close” though when your first one liner works fine?

Thanks guys for your input.

Hrmm, that sounds like a bug, then. Like you, I would expect that to hide the /data folder. Maybe we’re not hiding an entire folder if it’s a folder.

Are you able to reproduce this behaviour on your Caddy v2 instances? If so, this may actually be a “bug”.

Haven’t had a chance yet, trying to finish on-demand TLS for the Caddyfile ATM. If you or someone else has a chance to dig into the code to find out why, that’d speed things along!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.