Keep getting "http: TLS handshake error from 172.30.0.238:57706: EOF" from local IP address

job_noam · February 5, 2020, 2:24pm

He,

We’re using Caddy 0.11.4.

Our logs are full with this kind of errors:
2020/02/05 14:08:13 http: TLS handshake error from 172.30.3.249:50274: EOF
2020/02/05 14:08:14 http: TLS handshake error from 172.30.3.249:51410: EOF
2020/02/05 14:08:14 http: TLS handshake error from 172.30.3.249:20150: EOF
2020/02/05 14:08:14 http: TLS handshake error from 172.30.3.249:43823: EOF
2020/02/05 14:08:15 http: TLS handshake error from 172.30.0.238:53047: EOF
2020/02/05 14:08:16 http: TLS handshake error from 172.30.0.238:56526: EOF
2020/02/05 14:08:16 http: TLS handshake error from 172.30.0.238:22912: EOF
2020/02/05 14:08:20 http: TLS handshake error from 172.30.2.212:35563: EOF
2020/02/05 14:08:20 http: TLS handshake error from 172.30.0.238:57706: EOF
2020/02/05 14:08:20 http: TLS handshake error from 172.30.2.212:14206: EOF
2020/02/05 14:08:21 http: TLS handshake error from 172.30.4.135:41471: EOF

This IP address is a local IP address so I don’t understand why it keeps calling and attack himself.

Thank for the help,
Noam

danlsgiga · February 5, 2020, 4:37pm

I’d bet there’s a monitoring process just trying to check if the port is open and disconnecting right after without doing a proper TLS handshake. If you use AWS NLBs Health Checks, this is the case!

danlsgiga · February 5, 2020, 4:41pm

Just FYI… I use this to avoid that coming from my NLBs

# Only replies with 200 for the /_health path under the defined 'http' port for the NLB health checks
http:// {
  root /var/www/html
  status 200 {
    /_health
  }
}

and then change your NLB health check to use your HTTP port and the /_health path

system · August 3, 2020, 2:24pm

This topic was automatically closed after 180 days. New replies are no longer allowed.