[file_server] Caddy is not verifying etags from etag files

[Pizmovc]

Some background
I'm using NixOS as my server OS with Caddy serving my blog and other sites. I've set it up so that it is serving the files directly from the Nix store. What is important to know here is that when building with Nix it strips all timestamps from files, so no modification times are present (found a somewhat related issue). So since Caddy can't use modification times to respond to If-Modified-Since header, since files are seemingly never modified, it always responds with 304 Not Modified, breaking caching for my blog. So far Caddy is behaving as expected.

So I've modified my Caddyfile to force Caddy to use ETags with the following config:

luka.korosec.cc {
	header {
		-Last-Modified
	}
	file_server {
		etag_file_extensions .etag
	}
	root * /nix/store/3gsfndbnp4v4z0k7cs12b82vqvvpqxr7-tech-blog-1.0.0
	encode gzip
}

I've removed the Last-Modified header (so browsers can't use If-Modified-Since header), and added etag_file_extensions. I generate the ETag files during Nix build and Caddy correctly uses them as etag header. Up till now, I can't fault Caddy for anything, but what follows is a Caddy bug I think.

The bug
Here is what I think shows a bug:

1. Make initial request: curl -v https://luka.korosec.cc
2. Note the ETag in response: etag: b79e32c68bbcbbf5599c452748e903f6
3. Make conditional request: curl -v -H "If-None-Match: b79e32c68bbcbbf5599c452748e903f6" https://luka.korosec.cc
4. Observe that server returns 200 OK instead of 304 Not Modified

curl session

❯ curl -v https://luka.korosec.cc
[...]
> GET / HTTP/2
> Host: luka.korosec.cc
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 200
< accept-ranges: bytes
< alt-svc: h3=":443"; ma=2592000
< content-type: text/html; charset=utf-8
< etag: b79e32c68bbcbbf5599c452748e903f6
< server: Caddy
< vary: Accept-Encoding
< content-length: 1485
< date: Fri, 27 Jun 2025 19:07:19 GMT
<
<!DOCTYPE html>
[...]

❯ curl -v -H "If-None-Match: b79e32c68bbcbbf5599c452748e903f6" https://luka.korosec.cc
[...]
> GET / HTTP/2
> Host: luka.korosec.cc
> User-Agent: curl/8.7.1
> Accept: */*
> If-None-Match: b79e32c68bbcbbf5599c452748e903f6
>
* Request completely sent off
< HTTP/2 200
< accept-ranges: bytes
< alt-svc: h3=":443"; ma=2592000
< content-type: text/html; charset=utf-8
< etag: b79e32c68bbcbbf5599c452748e903f6
< server: Caddy
< vary: Accept-Encoding
< content-length: 1485
< date: Fri, 27 Jun 2025 19:09:07 GMT
<
<!DOCTYPE html>
[...]

root directory files

❯ ls -lah /nix/store/3gsfndbnp4v4z0k7cs12b82vqvvpqxr7-tech-blog-1.0.0
dr-xr-xr-x root root    82 B  1970-01-01 01:00:01 📂 ./
drwxrwxr-t root nixbld  11 MB 2025-06-27 05:08:40 📂 ../
dr-xr-xr-x root root   164 B  1970-01-01 01:00:01 📂 css/
dr-xr-xr-x root root   462 B  1970-01-01 01:00:01 📂 fonts/
dr-xr-xr-x root root   172 B  1970-01-01 01:00:01 📂 img/
dr-xr-xr-x root root     8 B  1970-01-01 01:00:01 📂 posts/
.r--r--r-- root root   1.5 KB 1970-01-01 01:00:01 📄 index.html
.r--r--r-- root root    33 B  1970-01-01 01:00:01 📄 index.html.etag

❯ cat /nix/store/3gsfndbnp4v4z0k7cs12b82vqvvpqxr7-tech-blog-1.0.0/index.html.etag
b79e32c68bbcbbf5599c452748e903f6

What should happen
When the If-None-Match header matches the current ETag, the server should return 304 Not Modified with no response body.

I'm running Caddy version 2.10.0.

[mholt]

Does this related issue offer any plausible explanation? #5550

I seem to remember a lot of friction with the NixOS community over this, maybe in a separate repo though.

[Pizmovc]

Hm, looking at the linked issue, I think it explains how we got to this point, specifically why I had to remove the Last-Modified header and how I had to explicitly enable setting ETags (via the etag_file_extensions), since they were not generated (as a result of the linked issue).

The problem that I'm having now is that Caddy does not properly handle If-None-Match headers.

[WeidiDeng]

Etag must be quoted with ", see rfc7232 for examples.

@Pizmovc You need to quote the etag header with " to use If-None-Match:

curl -v -H "If-None-Match: \"b79e32c68bbcbbf5599c452748e903f6\"" https://luka.korosec.cc

When reading etags from a file, caddy won't wrap them with quotes.

The correct etag header in the response should be

etag: "b79e32c68bbcbbf5599c452748e903f6"

The original pr that introduce Etag override clearly used quotes when setting the header.

@Pizmovc You can modify you checksum generation scripts to add quotes around them. I'll need to discuss with @mholt to decide if caddy should quote the header if it's not quoted.

[Pizmovc]

That did it! Thanks.

So I modified my build script to quote the ETag in files, now they contain quoted string and I get the 304 response correctly.

cat etag file and curl page

❯ cat result/index.html.etag
"650ee4842695a5badc115704c1088911"

❯ curl -v -H "If-None-Match: \"650ee4842695a5badc115704c1088911\"" https://luka.korosec.cc
[...]
> GET / HTTP/2
> Host: luka.korosec.cc
> User-Agent: curl/8.13.0
> Accept: */*
> If-None-Match: "650ee4842695a5badc115704c1088911"
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Request completely sent off
< HTTP/2 304
< alt-svc: h3=":443"; ma=2592000
< etag: "650ee4842695a5badc115704c1088911"
< server: Caddy
< vary: Accept-Encoding
< date: Sat, 28 Jun 2025 18:21:12 GMT
<
* Connection #0 to host luka.korosec.cc left intact

In the browser on first request I get 200 response with header

etag: "650ee4842695a5badc115704c1088911-gzip"

refreshing the page, sends request header:

If-None-Match: "650ee4842695a5badc115704c1088911-gzip"

and gets 304 response with the header:

etag: "650ee4842695a5badc115704c1088911"

So from my side we can consider the original ticket as 'resolved'. It works if using quoted ETags in the sidecar files.

It feels a bit weird sometimes getting -gzip suffix and sometimes not, but I get why it happens.

Thank you both for your time. Feel free to close this issue if you see it fit.

It was quite confusing for me getting to this point. In the file_server docs there is no mention of etag_file_extensions and in the JSON docs it is (that is how I found it), but it did not mention the quotes. Should these two docs match? Perhaps I can update the docs regarding this a bit?

[mholt]

Yeah, our JSON docs generator has a bug in that it sometimes shows an older version of the JSON docs, rather than the latest.

We could definitely update the Caddyfile docs for it though.