1. The problem I’m having:
I’m running Nextcloud in a Docker container, with Caddy acting as a reverse proxy and Crowdsec handling, well, security.
A few months ago, whenever I stepped out of the house, I started getting notifications from Crowdsec that the IP I was using my phone from (be it the one of the mobile network or the VPN, if the phone was connected to one) was banned due to crowdsecurity/http-generic-bf scenario. After some digging, I discovered that Crowdsec was being triggered by Caddy log entries such as the one below.
The question I have for you is: am I doing anything wrong with the way I’m proxying Nextcloud? Why is Caddy assuming that the authentication failed, when Nextcloud itself is not reporting any problems and, more importantly, I can sync my contacts without any problems (when I’m not banned, that is)?
Any and all insight into this problem would be greatly appreciated!
Thank you!
2. Error messages and/or full log output:
Crowdsec Alert entry
################################################################################################
- ID : 4803
- Date : 2025-06-03T07:20:46Z
- Machine : localhost
- Simulation : false
- Remediation : true
- Reason : crowdsecurity/http-generic-bf
- Events Count : 6
- Scope:Value : Ip:212.39.89.45
- Country : BG
- AS : T-Mobile
- Begin : 2025-06-03 07:20:42.231681397 +0000 UTC
- End : 2025-06-03 07:20:45.875052315 +0000 UTC
- UUID : bd35afff-83b7-4aa1-a647-f499250769e5
╭─────────────────────────────────────────────────────────────────────────╮
│ Active Decisions │
├──────────┬─────────────────┬────────┬────────────┬──────────────────────┤
│ ID │ scope:value │ action │ expiration │ created_at │
├──────────┼─────────────────┼────────┼────────────┼──────────────────────┤
│ 22275058 │ Ip:212.39.89.45 │ ban │ 3h46m37s │ 2025-06-03T07:20:46Z │
╰──────────┴─────────────────┴────────┴────────────┴──────────────────────╯
- Context :
╭────────────┬──────────────────────────────────────────────────────────────╮
│ Key │ Value │
├────────────┼──────────────────────────────────────────────────────────────┤
│ method │ REPORT │
│ method │ PROPFIND │
│ status │ 401 │
│ target_uri │ /remote.php/dav/addressbooks/users/zkvvoob/z-server-generat │
│ │ ed--system/ │
│ target_uri │ /remote.php/dav/addressbooks/users/zkvvoob/1/ │
│ target_uri │ /remote.php/dav/addressbooks/users/zkvvoob/z-app-generated- │
│ │ -contactsinteraction--recent/ │
│ target_uri │ /remote.php/dav/principals/users/zkvvoob/ │
│ target_uri │ /remote.php/dav/addressbooks/users/zkvvoob/ │
│ user_agent │ iOS/18.5 (22F76) dataaccessd/1.0 │
╰────────────┴──────────────────────────────────────────────────────────────╯
- Events :
- Date: 2025-06-03 10:20:42 +0300 +0300
╭─────────────────┬──────────────────────────────────────────────────────────────╮
│ Key │ Value │
├─────────────────┼──────────────────────────────────────────────────────────────┤
│ ASNNumber │ 8866 │
│ ASNOrg │ T-Mobile │
│ IsInEU │ true │
│ IsoCode │ BG │
│ SourceRange │ 212.39.64.0/19 │
│ datasource_path │ /var/log/caddy/mydomain.com.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /remote.php/dav/addressbooks/users/zkvvoob/z-server-generat │
│ │ ed--system/ │
│ http_status │ 401 │
│ http_user_agent │ iOS/18.5 (22F76) dataaccessd/1.0 │
│ http_verb │ REPORT │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ 212.39.89.45 │
│ sub_type │ auth_fail │
│ target_fqdn │ cloud.mydomain.com │
│ timestamp │ 2025-06-03T10:20:42+03:00 │
╰─────────────────┴──────────────────────────────────────────────────────────────╯
- Date: 2025-06-03 10:20:43 +0300 +0300
╭─────────────────┬────────────────────────────────────────────────╮
│ Key │ Value │
├─────────────────┼────────────────────────────────────────────────┤
│ ASNNumber │ 8866 │
│ ASNOrg │ T-Mobile │
│ IsInEU │ true │
│ IsoCode │ BG │
│ SourceRange │ 212.39.64.0/19 │
│ datasource_path │ /var/log/caddy/mydomain.com.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /remote.php/dav/addressbooks/users/zkvvoob/1/ │
│ http_status │ 401 │
│ http_user_agent │ iOS/18.5 (22F76) dataaccessd/1.0 │
│ http_verb │ REPORT │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ 212.39.89.45 │
│ sub_type │ auth_fail │
│ target_fqdn │ cloud.mydomain.com │
│ timestamp │ 2025-06-03T10:20:43+03:00 │
╰─────────────────┴────────────────────────────────────────────────╯
- Date: 2025-06-03 10:20:44 +0300 +0300
╭─────────────────┬──────────────────────────────────────────────────────────────╮
│ Key │ Value │
├─────────────────┼──────────────────────────────────────────────────────────────┤
│ ASNNumber │ 8866 │
│ ASNOrg │ T-Mobile │
│ IsInEU │ true │
│ IsoCode │ BG │
│ SourceRange │ 212.39.64.0/19 │
│ datasource_path │ /var/log/caddy/mydomain.com.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /remote.php/dav/addressbooks/users/zkvvoob/z-app-generated- │
│ │ -contactsinteraction--recent/ │
│ http_status │ 401 │
│ http_user_agent │ iOS/18.5 (22F76) dataaccessd/1.0 │
│ http_verb │ PROPFIND │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ 212.39.89.45 │
│ sub_type │ auth_fail │
│ target_fqdn │ cloud.mydomain.com │
│ timestamp │ 2025-06-03T10:20:44+03:00 │
╰─────────────────┴──────────────────────────────────────────────────────────────╯
- Date: 2025-06-03 10:20:44 +0300 +0300
╭─────────────────┬────────────────────────────────────────────╮
│ Key │ Value │
├─────────────────┼────────────────────────────────────────────┤
│ ASNNumber │ 8866 │
│ ASNOrg │ T-Mobile │
│ IsInEU │ true │
│ IsoCode │ BG │
│ SourceRange │ 212.39.64.0/19 │
│ datasource_path │ /var/log/caddy/mydomain.com.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /remote.php/dav/principals/users/zkvvoob/ │
│ http_status │ 401 │
│ http_user_agent │ iOS/18.5 (22F76) dataaccessd/1.0 │
│ http_verb │ PROPFIND │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ 212.39.89.45 │
│ sub_type │ auth_fail │
│ target_fqdn │ cloud.mydomain.com │
│ timestamp │ 2025-06-03T10:20:44+03:00 │
╰─────────────────┴────────────────────────────────────────────╯
- Date: 2025-06-03 10:20:45 +0300 +0300
╭─────────────────┬──────────────────────────────────────────────╮
│ Key │ Value │
├─────────────────┼──────────────────────────────────────────────┤
│ ASNNumber │ 8866 │
│ ASNOrg │ T-Mobile │
│ IsInEU │ true │
│ IsoCode │ BG │
│ SourceRange │ 212.39.64.0/19 │
│ datasource_path │ /var/log/caddy/mydomain.com.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /remote.php/dav/addressbooks/users/zkvvoob/ │
│ http_status │ 401 │
│ http_user_agent │ iOS/18.5 (22F76) dataaccessd/1.0 │
│ http_verb │ PROPFIND │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ 212.39.89.45 │
│ sub_type │ auth_fail │
│ target_fqdn │ cloud.mydomain.com │
│ timestamp │ 2025-06-03T10:20:45+03:00 │
╰─────────────────┴──────────────────────────────────────────────╯
- Date: 2025-06-03 10:20:45 +0300 +0300
╭─────────────────┬──────────────────────────────────────────────────────────────╮
│ Key │ Value │
├─────────────────┼──────────────────────────────────────────────────────────────┤
│ ASNNumber │ 8866 │
│ ASNOrg │ T-Mobile │
│ IsInEU │ true │
│ IsoCode │ BG │
│ SourceRange │ 212.39.64.0/19 │
│ datasource_path │ /var/log/caddy/mydomain.com.log │
│ datasource_type │ file │
│ http_args_len │ 0 │
│ http_path │ /remote.php/dav/addressbooks/users/zkvvoob/z-server-generat │
│ │ ed--system/ │
│ http_status │ 401 │
│ http_user_agent │ iOS/18.5 (22F76) dataaccessd/1.0 │
│ http_verb │ REPORT │
│ log_type │ http_access-log │
│ service │ http │
│ source_ip │ 212.39.89.45 │
│ sub_type │ auth_fail │
│ target_fqdn │ cloud.mydomain.com │
│ timestamp │ 2025-06-03T10:20:45+03:00 │
╰─────────────────┴──────────────────────────────────────────────────────────────╯
Caddy log
{
"level": "info",
"ts": 1748935246.9288347,
"logger": "http.log.access.log0",
"msg": "handled request",
"request": {
"remote_ip": "212.39.89.45",
"remote_port": "41850",
"client_ip":"212.39.89.45",
"proto":"HTTP/2.0",
"method":"PROPFIND",
"host":"cloud.mydomain.com",
"uri":"/remote.php/dav/addressbooks/users/zkvvoob/z-app-generated--contactsinteraction--recent/",
"headers":{
"Accept":["*/*"],
"Accept-Encoding":["gzip, deflate, br"],
"Content-Length":["181"],
"Content-Type":["text/xml"],
"Depth":["0"],
"Accept-Language":["bg-BG,bg;q=0.9"],
"Prefer":["return=minimal"],
"Brief":["t"],
"User-Agent":["iOS/18.5 (22F76) dataaccessd/1.0"]
},
"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"cloud.mydomain.com"}
},
"bytes_read":181,
"user_id":"",
"duration":0.024832559,
"size":477,
"status":401,
"resp_headers":{
"Server":["nginx"],
"X-Content-Type-Options":["nosniff"],
"Content-Type":["application/xml;charset=utf-8"],
"Content-Security-Policy":["default-src 'none';"],
"X-Permitted-Cross-Domain-Policies":["none"],
"Via":["2.0 Caddy"],
"Strict-Transport-Security":["max-age=31536000;"],
"Referrer-Policy": ["no-referrer"],
"Alt-Svc": ["h3=\":443\"; ma=2592000"],
"X-Xss-Protection": [
"1",
"1; mode=block"
],
"Date": ["Tue, 03 Jun 2025 07:20:46 GMT"],
"Set-Cookie": ["REDACTED"],
"X-Frame-Options":["SAMEORIGIN"],
"Www-Authenticate":["Basic realm=\"Nextcloud\", charset=\"UTF-8\""],
"X-Robots-Tag": ["noindex, nofollow"]
}
}
3. Caddy version:
2.10
4. How I installed and ran Caddy:
Docker compose
c. Service/unit/compose file:
FROM caddy:builder-alpine AS builder
RUN xcaddy build \
--with github.com/caddy-dns/porkbun \
--with github.com/hslatman/caddy-crowdsec-bouncer/http \
--with github.com/hslatman/caddy-crowdsec-bouncer/crowdsec \
--with github.com/hslatman/caddy-crowdsec-bouncer/layer4
FROM caddy:latest
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
services:
caddy:
image: caddy-porkbun:v2.10.0
container_name: caddy
restart: unless-stopped
security_opt:
- label:disable
ports:
- "443:443"
- "443:443/udp"
volumes:
- ./config:/etc/caddy
- ./logs:/logs
- /etc/localtime:/etc/localtime:ro
cap_add:
- NET_ADMIN
networks:
- proxy
networks:
proxy:
external: true
d. My complete Caddy config:
*.mydomain.com {
@nextcloud host cloud.mydomain.com
handle @nextcloud {
header {
Strict-Transport-Security "max-age=31536000;"
X-XSS-Protection "1"
}
route {
crowdsec
reverse_proxy https://nextcloud {
transport http {
tls
tls_insecure_skip_verify
}
}
}
}
}