caddy: block vuln-scanner probe paths (no-PHP/WP stack) → 403, not the SPA shell
Path-only @junk matcher on upbeatbytes.com (*.php, /wp-*, /.env, /.git, /phpmyadmin, /vendor, etc.) returns 403 instead of falling through try_files to a 200 SPA shell. Never matches by User-Agent, so real users + Googlebot/Bing are untouched. Applied to the live Caddyfile (validated + reloaded) and mirrored into the repo snapshot. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
After Width: | Height: | Size: 58 KiB |
|
After Width: | Height: | Size: 107 KiB |
|
After Width: | Height: | Size: 158 KiB |
|
After Width: | Height: | Size: 25 KiB |
|
After Width: | Height: | Size: 26 KiB |
|
After Width: | Height: | Size: 110 KiB |
|
After Width: | Height: | Size: 46 KiB |
|
After Width: | Height: | Size: 32 KiB |
|
After Width: | Height: | Size: 41 KiB |
|
After Width: | Height: | Size: 25 KiB |
|
After Width: | Height: | Size: 33 KiB |
|
After Width: | Height: | Size: 48 KiB |
|
After Width: | Height: | Size: 42 KiB |
|
After Width: | Height: | Size: 28 KiB |
|
After Width: | Height: | Size: 59 KiB |
|
After Width: | Height: | Size: 98 KiB |
|
After Width: | Height: | Size: 11 KiB |
|
After Width: | Height: | Size: 46 KiB |
|
After Width: | Height: | Size: 34 KiB |
|
After Width: | Height: | Size: 10 KiB |
|
After Width: | Height: | Size: 15 KiB |
|
After Width: | Height: | Size: 68 KiB |
|
After Width: | Height: | Size: 61 KiB |
|
After Width: | Height: | Size: 27 KiB |
|
After Width: | Height: | Size: 49 KiB |
|
After Width: | Height: | Size: 54 KiB |
|
After Width: | Height: | Size: 87 KiB |
|
After Width: | Height: | Size: 20 KiB |
|
After Width: | Height: | Size: 22 KiB |
|
After Width: | Height: | Size: 16 KiB |
|
After Width: | Height: | Size: 36 KiB |
|
After Width: | Height: | Size: 37 KiB |
@@ -46,6 +46,16 @@ upbeatbytes.com {
|
||||
encode gzip zstd
|
||||
|
||||
# Drop vuln-scanner probes for stacks we don't run. We're a SvelteKit SPA + FastAPI:
|
||||
# zero PHP, no WordPress, no exposed dotfiles — so these paths can NEVER be a real
|
||||
# user or a wanted search crawler (matching is path-only, never by User-Agent, so
|
||||
# Googlebot/Bing are untouched). Without this they fall through try_files to the SPA
|
||||
# shell and get a 200; now they get a clean 403 (still logged, so probes stay visible).
|
||||
@junk path *.php /wp-admin* /wp-login* /wp-includes* /wp-content* /wp-json* /xmlrpc.php /.env /.env.* /.git /.git/* /phpmyadmin* /pma* /myadmin* /dbadmin* /vendor/* /.aws/* /.ssh/* /cgi-bin/* /administrator/*
|
||||
handle @junk {
|
||||
respond 403
|
||||
}
|
||||
|
||||
# Retired prototype routes (promoted/removed at the news relaunch) → the hub.
|
||||
@oldhome path /home2 /home2.html /home3 /home3.html
|
||||
handle @oldhome {
|
||||
redir https://upbeatbytes.com/ permanent
|
||||
|
||||