On a server I have increasing traffic of bots scanning the server by performing requests to http://<IP-Address/.
Caddy responds with a 308 redirect to https://<IP-Address/.
I wonder if there is a recommended way to
ignore requests to the raw IP (perfect)
perform a connection reset below the application layer (like NGINX’s 444) (ok)
respond w/out a location redirect (at least)
In that particular case I don’t want to return 403 code or the like as I see it more in the way of “it’s not forbidden, it’s just not configured”.
I am not sure if this is possible, because the server can’t know the request is “to” the “raw IP” until it reads the Host header. To truly ignore the request would involve ignoring all requests, essentially turning off the server.
But what you can do is match on the Host header if it contains your IP and then abort the request:
http://1.2.3.4 {
abort
}
That closes the connection uncleanly and doesn’t even write an HTTP response. I’d say it’s somewhere between your “perfect” and “ok” solutions.
This doesn’t make sense – Caddy won’t have a certificate for that hostname anyways so the TLS handshake will never succeed, so HTTP routing never happens. You should only keep the http:// site address.
so it created a certificate. I think. At least this is what I read out of the logs (DEBUG tls.handshake choosing certificate {"identifier": "10.1.1.1.", "num_choices": 1}).
Not on the prod server.
Generally true, but to be nuanced in case a future searcher finds this thread: they are eligible, but only some CAs offer them and only in certain ways (i.e. very few allow ACME to issue IP certs).
I’m pretty sure Caddy will issue its own self-signed cert for IP addresses, without needing to specify tls internal.