I am trying to capture unexpected requests (Mostly from port scanning bots hunting for vulnerable servers) in a different log file and real requests in a different log file.
When someone requests http://foo.internal, caddy automatically redirects to https://foo.internal as expected. However the redirection log is written to abort.log instead of foo.log. I can post process the log to exclude those re-directions. But is there a better/cleaner way to configure expected and unexpected requests to go to different logs?
Side note: Unexpected https requests don’t get logged at all.
Your config doesn’t specifically handle http://foo.internal, it only configures HTTPS.
Caddy’s Automatic HTTPS routine sets up the HTTP->HTTPS redirects, and that happens on the HTTP server.
You configured the HTTP server (with the :80 site address) to log to abort.log. So that’s what Caddy does.
You can see how this behaves by adapting your config to JSON, it should give you an idea of how it works. Run caddy adapt --config path/to/Caddyfile --pretty
If you want the redirect for known domains to log elsewhere, you’ll need to explicitly configure that. Add a site like this I guess:
Failed TLS handshakes don’t reach the HTTP handlers.
I understand it does not reach the headers. Is there any way to collect those ip addresses? Without caddy logging it, the only way is then to log all ips from iptables and then filter out expected ones from caddy’s log. This is both slow and complex.
If you enable debug level logging, you can see the TLS handshake failures. But that will significantly increase the amount of logs Caddy produces.
Frankly, I don’t think you need to worry about blocking those IP addresses unless you’re being hammered with requests via a targeted attack. They fail early and fast.