You’re supposed to reject those domains on your
askendpoint. Are you not doing that? You should only allow known domains, you should never blanket allow domains.
Agreed! I had set this infrastructure up before the ask endpoint was required and am now seeing that exact situation. The file based solution was taken from this post:
In a panic last night to get something up to shield my caddy servers. I’ll be implementing the ask endpoint in my real backend today to protect moving forward. I appreciate the tip on deleting the domains as well.
Part of the problem is I do need to serve the certificate for the www version of this domain (for their website), but not any of the other subdomain stuff that their webmaster misconfigured—I understand what you are saying though, that should just be part of the ask endpoint.
That’s the way to do it. Just write a regexp matching Host to reject those requests.
Thank you