-2

When translating my Apache and Nginx configuration to Caddyfile, I'm having a problem with a regular expression. I use the following in Apache to restrict access to files and directories that start with a dot (.) and are not in the .well-known directory.

<IfModule mod_authz_core.c>
    <LocationMatch "(^|/)\.(?!well-known/)">
        Require all denied
    </LocationMatch>
</IfModule>

This is an Apache configuration block that uses the mod_authz_core module to deny access to any files or directories that begin with a dot (.) in the requested URL path, except those in the .well-known directory:

@block {
    path_regexp ^(\/\..*)$
    not path_regexp "^/\.well-known\/.*$"
}
respond @block 403

However, I'd like to use a single regular expression without using not path_regexp.

The problem is the negative lookahead syntax in the regexp. The RE2 syntax used by Caddy does not support the (?!pattern) syntax for negative lookaheads.

Now I'm stuck, even after reading previous questions about this issue, I can't figure out how to solve this. Any ideas?

If you're curious, Nginx equivalent:

location ~* /\.(?!well-known\/) {
  deny all;
}
obeN
  • 416
  • 1
  • 5
  • 16
  • 2
    [Here you go](https://regex101.com/r/KShuN1/2), but does this worth it? Why don't just use a second regex? – InSync Apr 17 '23 at 14:45
  • Thx, yeah, I guess I'll just stick with a second regexp then. – obeN Apr 17 '23 at 15:03
  • @InSync I'm in a similar situation when using the website SourceGraph, which appears to utilize GoLang with its RE2 syntax for regular expressions. Did you use a tool to create this regex, or did you do it manually? It looks quite complicated. – snoob dogg Apr 20 '23 at 07:55
  • @snoobdogg Is that a question? If so, please post it as a question and not comment. – InSync Apr 20 '23 at 07:58
  • @InSync it's a question about your comment... – snoob dogg Apr 20 '23 at 08:09
  • @snoobdogg At the time of commenting I didn't see the edited version, sorry. I did use a function, which looks like this (JS): `escape = s => s.replace(/[-/\\^$*+?.()|[\]{}]/g, '\\$&')`/```polyfill = s => [...s].reverse().reduce((p, c) => `(?:${escape(c)}${p}|[^${escape(c)}][^/\\n]*)?`, '[^/\\n]+')```. This isn't guaranteed to be fail-safe, though. – InSync Apr 20 '23 at 08:14
  • @InSync, consider posting it as an answer at linked duplicate question. I believe it could be useful for future generations. – markalex Apr 20 '23 at 08:19
  • @markalex I don't know Go, so I can't just post an answer with this JS function and say "*Hey, do you know that you can use this slick JavaScript function of mine to generate a Go regex and then paste that in your code?*". – InSync Apr 20 '23 at 08:25
  • @InSync, Why not? Not everybody who reads that question uses Go: current question is an example (and I believe it is not first and not even hundredth question closed as duplicate of it). But everybody has a browser and a possibility to one time generate such an expression. – markalex Apr 20 '23 at 08:30
  • [Posted](https://stackoverflow.com/a/76064059). – InSync Apr 20 '23 at 12:31

1 Answers1

0

It’s not possible using a single regex if negative lookaround isn’t supported. This is not something that regexes do other than working around it using the negative lookaround syntax, so if that’s not supported then it’s not possible.