My Caddyfile is pretty easy and looks like this:
:80
tls off
root /var/www
gzip
fastcgi / /var/run/php5-fpm.sock php
Is it possible to restrict access to /var/www/secret, so http://localhost/secret/secretfile.txt is no longer accessible?
You can use either basicauth or internal to achieve this. Since you want a secret directory, internal would be my recommendation here.
basicauth
basicauth /secret username password
Still accessible, but protected with username/password.
internal
internal /secret
Not accessible, throws a 404 Not Found status.