Hello,
I use Caddy server to run a Kirby 3 project. When I check the Kirby settings menu, three security alert are displayed:
“The content folder seems to be exposed”
Yet I block access to these folders in my server configuration file as you can see below
Caddyfile
xxx.com {
root * /xxx/www/
encode gzip
php_fastcgi unix//run/php/php8.1-fpm.sock
# Enable https
tls info@example.com {
protocols tls1.2 tls1.3
}
file_server
header {
Strict-Transport-Security max-age=31536000;
X-Frame-Options DENY
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
}
@blocked {
path /.* /content/* /site/* /kirby/* *.txt *.md *.mdown
}
redir @blocked /
}
Is there some other Caddy user here? Do you have the same alert displayed by Kirby?
Thx
texnixe
November 10, 2022, 8:07pm
2
Are these Urls output by these method calls really not reachable
$system = $kirby->system();
dump($system->exposedFileUrl('kirby'));
dump($system->exposedFileUrl('site'));
dump($system->exposedFileUrl('git'));
dump($system->exposedFileUrl('content'));
No one of these Urls output are reachable, the redirection to the root path / works```
texnixe
November 11, 2022, 6:33am
4
I’m not familiar with Caddy at all, but if you redirect to somewhere else, there is no error, right. Check if it works when you remove the redirect.
There shouldn’t be a redirect but an error response, e.g. with error code HTTP 404. For Kirby, the redirect is a successful response, which triggers the warnings.
Thanks @texnixe and @lukasbestle for your help and precision. I can redirect these paths to a no existing page to generate a 404 error code. Like this, Kirby will not display the warnings messages anymore, my folders are protected (which is the most important) and my client will be reassured
Instead of the redirect, you could also respond with an error directly:
respond @blocked "Not Found" 404 {
close
}
1 Like
