Default logging behaviour

Erwyn · March 14, 2017, 9:17am

Hello there,

I’m running Caddy in docker on my private server and my docker log for the container is crippled with:

2017/03/14 08:11:36 [INFO] audiofreeonline.com - No such site at :80 (Remote: 85.175.73.177, Referer: )
2017/03/14 08:11:41 [INFO] audiofreeonline.com - No such site at :80 (Remote: 94.25.23.18, Referer: )
2017/03/14 08:11:50 [INFO] audiofreeonline.com - No such site at :80 (Remote: 212.107.200.194, Referer: )
2017/03/14 08:11:51 [INFO] audiofreeonline.com - No such site at :80 (Remote: 195.110.52.25, Referer: )
2017/03/14 08:11:57 [INFO] audiofreeonline.com - No such site at :80 (Remote: 91.199.224.121, Referer: )
2017/03/14 08:12:01 [INFO] audiofreeonline.com - No such site at :80 (Remote: 91.240.120.254, Referer: )
2017/03/14 08:12:09 [INFO] audiofreeonline.com - No such site at :80 (Remote: 77.82.236.107, Referer: )
2017/03/14 08:12:09 [INFO] audiofreeonline.com - No such site at :80 (Remote: 77.87.114.80, Referer: )
2017/03/14 08:12:15 [INFO] audiofreeonline.com - No such site at :80 (Remote: 212.220.207.4, Referer: )
2017/03/14 08:12:16 [INFO] audiofreeonline.com - No such site at :80 (Remote: 5.143.232.170, Referer: )
2017/03/14 08:12:37 [INFO] audiofreeonline.com - No such site at :80 (Remote: 31.130.113.143, Referer: )
2017/03/14 08:12:41 [INFO] audiofreeonline.com - No such site at :80 (Remote: 5.101.34.3, Referer: )
2017/03/14 08:12:44 [INFO] audiofreeonline.com - No such site at :80 (Remote: 91.234.108.27, Referer: )
2017/03/14 08:12:45 [INFO] audiofreeonline.com - No such site at :80 (Remote: 91.224.138.26, Referer: )
2017/03/14 08:12:47 [INFO] audiofreeonline.com - No such site at :80 (Remote: 62.177.43.172, Referer: )
2017/03/14 08:12:51 [INFO] audiofreeonline.com - No such site at :80 (Remote: 195.162.22.21, Referer: )
2017/03/14 08:12:55 [INFO] audiofreeonline.com - No such site at :80 (Remote: 195.80.144.4, Referer: )
2017/03/14 08:13:01 [INFO] audiofreeonline.com - No such site at :80 (Remote: 46.174.194.118, Referer: )
2017/03/14 08:13:03 [INFO] audiofreeonline.com - No such site at :80 (Remote: 85.175.73.177, Referer: )
2017/03/14 08:13:11 [INFO] audiofreeonline.com - No such site at :80 (Remote: 94.233.46.24, Referer: )
2017/03/14 08:13:15 [INFO] audiofreeonline.com - No such site at :80 (Remote: 95.53.251.61, Referer: )

Now, I’m using Caddy as a reverse proxy and I would like to get rid of those. I tried to put a log directive at the top of my Caddyfile but it didn’t work. Is there a way to define a default loging behaviour and then override it in each site configuration? Or do I have to create a site configuration for audiofreeonline.com and put the log elsewhere, ideally feeding it to fail2ban?

Whitestrake · March 15, 2017, 4:14am

Hrm. Does

dig audiofreeonline.com a

return the IP address of your VPS? Maybe someone has misconfigured their DNS and has a link somewhere… Going off the remote IPs. No referer, though, could be bots of some kind?

What you could do is create a default vhost for :80, status 404 / it, and feed it to fail2ban. Given the variation in remote clients it probably won’t catch much, but it’d certainly move this crap out of the logs you care about.

matt · March 15, 2017, 4:53am

I was just about to suggest the same solution: a default site on :80 (or :443, or both!) that simply logs the IP address and returns a 404.

Erwyn · March 15, 2017, 8:22am

Hello, thanks for the answers.

I checked but no, audiofreeonline.com does not direct to my server. Honestly, I think it’s bots.

You are probably right about the variation though, fail2ban might be unable to work it properly. Anyway, thanks for the suggestion I’ll try to put a default site. As I was using it as a reverse proxy I didn’t think of having a default site.

Erwyn · March 15, 2017, 8:38am

Okay, so I made the default vhost it seems to work well, thanks!. But now I have another question, in the documentations regarding logs, it says that: log enables request logging.. Does this mean that if I don’t have any log directive set, I won’t have any log but the error ones?

matt · March 15, 2017, 2:52pm

A common tactic of spammers is to use bots to fill server logs or analytics records with a hostname they are advertising.

The log you were reading is the process log. Error logs are activated with the errors directive, and request logging is activated with the log directive.

Erwyn · March 15, 2017, 3:06pm

Ok perfect, everything is clear now.

Thank you very much for the help both @matt and @Whitestrake!

And it’s the first time I use Caddy, I mostly used Nginx before, and I’m loving it so far!

system · June 13, 2017, 3:16pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.