LoginGet PDF Embedder

PDF Embedder Documentation

Documentation, Reference Materials, and Tutorials for PDF Embedder

Get access to
Powerful Features!

Mobile-Ready PDF Viewer

Secure PDF Sharing

Dynamic Watermark Protection

Track Document Performance

…and much more

Get PDF Embedder →
Home » Documentation » Guides & Configuration » Serving protected PDF files under Caddy

Serving protected PDF files under Caddy

PDF Embedder Secure feature is a Pro plan feature.

Upgrade your license to unlock the PDF Embedder Secure feature and other powerful features.

Running PDF Embedder Secure on a Caddy server? The plugin automatically protects the /securepdfs/ directory on Apache using .htaccess, but Caddy does not support .htaccess. Without a manual configuration change, your protected PDFs remain directly accessible.

This guide covers how to add the required block to your Caddyfile so Caddy enforces PDF Embedder Secure’s access restrictions.

Why Caddy Needs Extra Configuration

When you enable the Secure PDFs option in our PDF Embedder Premium plugin, all protected files are stored at:

/wp-content/uploads/securepdfs/

On Apache, the plugin blocks direct access to this path automatically via .htaccess. Caddy has no equivalent per-directory configuration mechanism, so the same rule must be added directly to the Caddyfile.

Configuring the Caddyfile

Open your Caddyfile and add the following block at the same level as your root directive:

handle_path /wp-content/uploads/securepdfs* {
    @allow_local {
        remote_ip 127.0.0.1
    }

    @allowed_files {
        path *.jpg *.png *.gif *.mp3 *.ogg
    }

    route {
        handle @allow_local {
            reverse_proxy http://127.0.0.1:6776
        }

        handle @allowed_files {
            respond "Allowed" 200
        }

        respond "Forbidden" 403
    }
}
Code language: JavaScript (javascript)

This configuration denies direct access to all files in the securepdfs directory except image and audio files. Requests from localhost (127.0.0.1) are forwarded to the PDF Embedder proxy on port 6776, which validates user permissions before delivering the file.

After editing the Caddyfile, save it and reload the Caddy server for the configuration to take effect. For reference on Caddyfile syntax, see the official Caddy documentation.

Verifying the Configuration

After reloading Caddy, confirm the embedded PDF still displays on the front end. Then test that direct access is blocked by copying the PDF URL from your shortcode or block:

https://example.com/wp-content/uploads/securepdfs/2025/01/file.pdf
Code language: JavaScript (javascript)

Paste it directly into a browser. A 403 Forbidden error confirms the configuration is working. If the PDF loads, check that the block is placed at the correct level in the Caddyfile and that Caddy has been reloaded.

Still have questions? We’re here to help!

Submit a Support Ticket
Contact Us

Last Modified: