Block every connections from unknown domains

1. Caddy version (caddy version):


2. How I run Caddy:

a. System environment:

Windows 10

b. Command:

.\caddy.exe run

c. Service/unit/compose file:

I’m using WinSW to run Caddy as a service in Windows. Here’s my config file for the service.

  <!-- Display name of the service -->
  <name>Caddy Web Server (powered by WinSW)</name>
  <!-- Service description -->
  <description>Caddy Web Server (</description>
  <log mode="roll-by-time">

d. My complete Caddyfile or JSON config: {
	reverse_proxy localhost:8096

:80, :443, https://, http:// {

3. The problem I’m having:

I’d like to block and abort all connections from an undefined domain, for example when just entering my public IP address instead of the domain name in my Caddyfile.

What I did works on port 80 in HTTP but doesn’t in HTTPS on port 443, I’m getting a SSL_ERROR_INTERNAL_ERROR_ALERT instead of a The connection was reset.

4. Error messages and/or full log output:

The connection was reset in HTTP which is what is expected.

5. What I already tried:

:80, :443, https://, http:// {

That’s normal. If the TLS handshake can’t be completed, then no HTTP handlers can run.

I’m not sure why you would want to do this though, you don’t need to explicitly block anything, Caddy will just not do anything with the connection by default.

You don’t need this at all:

1 Like

Security reason I think. In my opinion it’s better to intercept and abort all unexpected connections. Besides an SSL_ERROR_INTERNAL_ERROR_ALERT error implies that the site exist and is running (but there is an error) while a The connection was reset error is more ambiguous and suggest that the site isn’t online or don’t exist at all.

So is there a way to abort before the TLS handshake or skip it to abort the connection?

What are you trying to protect against exactly? Someone knowing an IP address has a web server behind it? Everybody can know that by merely running dig +short -x <ip address>. Someone pointing some random domain to your IP address? The web server will not serve anything to a hostname they’re not configured for. Nonetheless, the public already knows that particular IP address has a web server behind it.

What’s the gap you’re plugging?


I’ve got bad news for you… if the server didn’t exist, the TCP connection wouldn’t be reset; it wouldn’t be established at all.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.