Subscribe
caddy

Restricting Files & Paths in Caddy

Phil

1 min read
Restricting Files & Paths in Caddy

I received an email today from an independent security researcher which detailed a vulnerability in pdemro.com. I am using a pretty old version of the Ghost docker image which apparently serves a directory which is a Git repository (including a .git folder). The vulnerability exploited my permissive Caddy configuration to access the git HEAD. To reproduce, the researcher built a robot to hit websites at /.git/HEAD. Read all about the vulnerability and why it is important to mitigate on his website https://smitka.me/

The blog offers examples of Nginx and Apache configurations which address the vulnerability, but sadly leaves out Caddy! Here is my best shot at a caddy config which mimics the suggested Nginx and Apache versions. From what I can tell, Caddy dosn't have a Deny verb but it does have a rewrite which seems to fit:

caddyFile

pdemro.com www.pdemro.com {
  <other config stuff>

  rewrite {
    r /\..*
    to /
  }
}

Nginx Similar

location ~ /\.(?!well-known\/) {
    deny all;
}

Title Image Florence 11 by TeacherPouch LLC / CC BY-SA-NC 3.0

Sign up for more like this.

Enter your email
Subscribe