Resource exhaustion due to missing static assets proxying to frankenphp-worker

[eugene-nuwber]

Octane Version

2.9

Laravel Version

12

PHP Version

8.4

What server type are you using?

FrankenPHP

Server Version

1.12

Database Driver & Version

No response

Description

The current Caddy configuration template for FrankenPHP utilizes a broad try_files directive:
try_files {path} frankenphp-worker.php

This logic causes all requests for non-existent static files (e.g., versioned assets like app-v123.js after a deployment) to be forwarded to the PHP worker. In high-traffic environments, a surge of requests for missing assets triggers unnecessary PHP process execution, leading to worker saturation, increased CPU/Memory overhead, and potential system failure.

Technical Impact

• Performance: High overhead for 404 responses that should be handled at the web-server level.
• Stability: Potential DoS condition when static asset paths are brute-forced or when client-side caches request deprecated versioned files.
• Resource Allocation: PHP workers are occupied by I/O-bound requests for missing files instead of processing dynamic application logic.

Proposed Solution
Refactor the Caddyfile logic to isolate static file handling. A dedicated matcher for common file extensions should be implemented to ensure that if a static file is not found on disk, Caddy returns a 404 Not Found immediately, bypassing the php_server or php_dispatch logic.

Recommended Configuration Change
Define a matcher for static assets and handle them via file_server exclusively:

@static {
    path *.css *.js *.mjs *.map *.ico *.png *.jpg *.jpeg *.gif *.svg *.webp *.avif *.woff *.woff2 *.ttf *.otf *.eot *.mp4 *.webm *.ogg *.mp3 *.wav *.pdf *.zip *.txt *.xml *.json *.wasm *.webmanifest *.manifest
}

file_server @static

Steps To Reproduce

1. Deploy Laravel Octane with FrankenPHP.
2. Request a non-existent file with a .js or .css extension.
3. Observe that the request is processed by frankenphp-worker.php (returning a Laravel 404) instead of a native Caddy 404.

[github-actions]

Thank you for reporting this issue!

As Laravel is an open source project, we rely on the community to help us diagnose and fix issues as it is not possible to research and fix every issue reported to us via GitHub.

If possible, please make a pull request fixing the issue you have described, along with corresponding tests. All pull requests are promptly reviewed by the Laravel team.

Thank you!

[eugene-nuwber]

All my PRs have been closed without merge.
Everybody who is using FrankenPHP out of the box may be affected so take a look at this issue.

[AlliBalliBaba]

This is how PHP routing usually works, also with FPM/Nginx and it's the Laravel default.

If your 404s to PHP are very expensive and you need better performance overall I'd also suggest completely splitting assets and PHP by path, something like described here.

@assets {
    path /assets/* robots.txt # define all paths where there are files...
}

# everything behind /assets is handled by the file server
file_server @assets {
    root /root/to/your/app
}

# everything that is not in /assets is handled by your index or worker PHP file
# this avoids all 'file exists' checks
php {
    root /root/to/your/app
    worker ./vendor/laravel/octane/bin/frankenphp-worker.php {
        match * # match all paths and send them to octane
        max_threads 50 # max 50 concurrent requests
    }
}