Caddy: Prevent configuration files (dotfiles) from being served

Created on 28 Aug 2018  路  3Comments  路  Source: caddyserver/caddy

Configuration files (dotfiles) in the root path are publically visible.

Caddyfile example:

example.com {
    root /var/www/example.com
}

It is possible to access sensitive data like DB credentials, API keys and it is possible to explore the structure of the application to find more security problems (e.g., hidden endpoints like open uploaders and so on). For example, take .git directory.

Suppose that we use a closed source git repository to maintain version control for example.com. This problem is often missed because when you try to open example.com/.git, an HTTP 404 is returned, but it is only the result of the missing index page. If the attacker knows what to look for like /.git/logs/HEAD or /.git/config, data like development branch, origin URL, commit messages, email IDs of contributors, etc. will be revealed.

To counter this, I use rewrite with regex ((^|\/)\.) to load a 404 page whenever a dotfile is requested.

rewrite {
    r ((^|\/)\.)
    to /location/to/404.html
}

I don't know if there is a better way to do this or not, but it works for me.

What I propose is that these files should be withheld from the user by default and the Caddy web server should return an HTTP 403 until stated otherwise.

Thanks.

picture muhammadmuzzammil1998

Most helpful comment

I will close this now. @muhammadmuzzammil1998 feel free to open a thread on https://caddy.community/ if you have more questions.

picture tobya on 20 Sep 2018
1 👍1

All 3 comments

Best practice for websites says to have your site index inside a web/ or public/ folder, and keep all your config in the root or in another directory. Changing your project structure will solve all the problems you listed.

Another option is to use https://caddyserver.com/docs/internal

Using a rewrite like you did is also fine.

The problem is that there are legitimate reasons for having dotfiles/dotfolders accessible in many cases, so hiding all of them is a bit of a shotgun approach that would cause some people to be confused. For example, .well-known/.

Normally if you have questions like this they're better directed to https://caddy.community/, since this is the issue/feature requests board... but since you also requested a feature here, I'll leave it open for others to comment in case someone disagrees with me about this 馃槢

francislavoie picture francislavoie on 28 Aug 2018
👍1

Thanks for the review @francislavoie.

I tried to change the structure, and it all broke down. My repository is complicated, and it will take some time to change the structure. Until I fix it, I bodged it with a rewrite. 馃槃

muhammadmuzzammil1998 picture muhammadmuzzammil1998 on 28 Aug 2018

I will close this now. @muhammadmuzzammil1998 feel free to open a thread on https://caddy.community/ if you have more questions.

tobya picture tobya on 20 Sep 2018
1 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wayneashleyberry picture wayneashleyberry  路  3Comments
yu-chenxi picture yu-chenxi  路  3Comments
crvv picture crvv  路  3Comments
lorddaedra picture lorddaedra  路  3Comments
mikolysz picture mikolysz  路  3Comments