Logs getting filled/clobbered with references to the IP that had been directly accessed without SNI information
I’d like to know the best method to “catch” the non-matched, ie. “direct to IP” https connections, to either route them to a script/static file or response to have it logged in access.log rather than error.log
If you’re asking about HTTPS connections, there’s no way to handle those, because the TLS handshake needs to happen first - if the handshake fails due to missing SNI, i.e. no valid cert could be used, then Caddy can’t continue.
For HTTP connections, you can make a site block with :80 as the address to handle all connections on that port - but this means that HTTP->HTTPS redirects will be overridden, so you’ll need to re-implement them yourself in your :80 site block.
Is there a mechanism to assign a snake-oil/self-signed certificate to that default failure case?
I’ve yet to see those type of errors on a nginx setup where the default https will use a default certificate (even if the Host/SNI doesn’t match)
I actually do not care a single iota about the browsers in this case, as that should never be from a browser hitting it like https://ip.ad.dr.ess/, but rather these I do expect to be from scanners and badly configured API requests to give them the snake oil