How to reject all requests to unknown hostnames (including server IP)

1. The problem I’m having:

I have a Caddyfile that contains hostnames, which I reverse proxy to some apps.

I want to explicitly reject all other requests that do not come from these hostnames, especially requests to the servers raw IP (i.e. https://123.456.789.10).

The requests are actually currently rejected, but the error is not what I want, I get SSL_ERROR_INTERNAL_ERROR_ALERT when I really want it to be something like a normal 404 or 4xx error, not some weird SSL error.

I also don’t want a HTTP request to redirect, I want that to drop the connection straight away as well.

I tried using a “*” wildcard with a 404 response:

* {
  response 404

but this didn’t change the SSL error, and I saw this in the Caddy log:
{"level":"error","ts":1690840528.3630133,"logger":"tls.obtain","msg":"will retry","error":"[*] Obtain: subject does not qualify for a public certificate: *","attempt":1,"retrying_in":60,"elapsed":0.00143502,"max_duration":2592000}

I also tried *:80 with the same response instead and the http->https redirect did not stop.

2. Error messages and/or full log output:

Here’s what it looks like to curl the server:

$ curl -v http://redacted-ip-address
*   Trying redacted-ip-address:80...
* Connected to redacted-ip-address (redacted-ip-address) port 80 (#0)
> GET / HTTP/1.1
> Host: redacted-ip-address
> User-Agent: curl/7.74.0
> Accept: */*
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://redacted-ip-address/
< Server: Caddy
< Date: Mon, 31 Jul 2023 22:09:12 GMT
< Content-Length: 0
* Closing connection 0
$ curl -v https://redacted-ip-address
*   Trying redacted-ip-address:443...
* Connected to redacted-ip-address (redacted-ip-address) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

You can see the last line is displaying the SSL/TLS error. I want this to just be a normal 404 response.

3. Caddy version:

$ docker exec caddy caddy version
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

a. System environment:

$ docker --version
Docker version 24.0.2, build cb74dfc
$ hostnamectl
    Virtualization: kvm
  Operating System: Debian GNU/Linux 11 (bullseye)
            Kernel: Linux 5.10.0-23-amd64
      Architecture: x86-64

b. Command:

docker volume create caddy
docker run -d --name caddy --restart unless-stopped \
    --network=host \
    -v "$(pwd)/Caddyfile:/etc/caddy/Caddyfile" \
    -v caddy:/data \

c. Service/unit/compose file:

d. My complete Caddy config:


} {
  encode zstd gzip
  reverse_proxy localhost:8081
} {
  encode zstd gzip
  reverse_proxy localhost:8080

5. Links to relevant resources:


That’ll be impossible since a connection is required to send the HTTP response over. You would essentially have to accept the request, not reject it.

Unfortunately your post redacts crucial information, directly against the forum rules and help template instructions, that will be necessary for us to help you. So, good luck, I guess!

1 Like

Yeah I’m aware that I’ve removed “crucial information” but I’m not comfortable sharing said info for various reasons, I figured I’d ask anyway. Feel free to remove the post or whatever if you think there’s not enough info to go on.

We can offer support in private for sponsors of a sufficient tier. It’s just that domain names are public information and we need that to help you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.