Reverse proxy suddenly showing as "Deceptive site ahead", Google Blacklisted

Help
1

1. The problem I’m having:

I’ve been running a Caddy reverse proxy in a Docker for my home server successfully for some time. With a recent Chrome update, Google is reporting my site as “Deceptive site ahead”. I ran a free security check on ssltrust.com and it came back as “We were Unable to Make a Secure Connection. Please be cautious when sharing any important information with this website.”

I think this may be why Google has decided to blacklist my site.

2. Error messages and/or full log output:

25T22:28:43.447607298Z {"level":"info","ts":1685053723.4473026,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"rss.jawmonster.com","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
2023-05-25T22:28:43.700587855Z {"level":"info","ts":1685053723.7003298,"logger":"tls","msg":"served key authentication certificate","server_name":"rss.jawmonster.com","challenge":"tls-alpn-01","remote":"23.178.112.107:63656","distributed":false}
2023-05-25T22:28:43.743349619Z {"level":"info","ts":1685053723.7431276,"logger":"tls","msg":"served key authentication certificate","server_name":"rss.jawmonster.com","challenge":"tls-alpn-01","remote":"18.117.220.38:19926","distributed":false}
2023-05-25T22:28:43.756796918Z {"level":"info","ts":1685053723.7565575,"logger":"tls","msg":"served key authentication certificate","server_name":"rss.jawmonster.com","challenge":"tls-alpn-01","remote":"52.13.125.183:14362","distributed":false}
2023-05-25T22:28:44.085970603Z {"level":"info","ts":1685053724.085693,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/429651330/184519180057"}
2023-05-25T22:28:44.439754016Z {"level":"info","ts":1685053724.4394236,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/03931e91e6fa79f710d41067b26afb747d7e"}
2023-05-25T22:28:44.440733581Z {"level":"info","ts":1685053724.4405355,"logger":"tls.renew","msg":"certificate renewed successfully","identifier":"rss.jawmonster.com"}
2023-05-25T22:28:44.440786246Z {"level":"info","ts":1685053724.4405704,"logger":"tls.renew","msg":"releasing lock","identifier":"rss.jawmonster.com"}
2023-05-25T22:28:44.441121633Z {"level":"info","ts":1685053724.440901,"logger":"tls","msg":"reloading managed certificate","identifiers":["rss.jawmonster.com"]}
2023-05-25T22:28:44.594527117Z {"level":"info","ts":1685053724.594223,"logger":"tls.cache","msg":"replaced certificate in cache","subjects":["rss.jawmonster.com"],"new_expiration":1692826123}
2023-05-26T03:33:07.341419590Z {"level":"error","ts":1685071987.341114,"logger":"tls","msg":"tls-alpn challenge","server_name":"","error":"no information found to solve challenge for identifier: "}
2023-05-26T05:58:43.139707839Z {"level":"info","ts":1685080723.1388607,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["jawmonster.com"],"from":1685379598,"to":1685681998}
2023-05-26T19:58:42.982585617Z {"level":"info","ts":1685131122.9822605,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-05-26T19:58:42.992184485Z {"level":"info","ts":1685131122.99191,"logger":"tls","msg":"finished cleaning storage units"}
2023-05-27T06:58:43.153940646Z {"level":"info","ts":1685170723.153635,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["nextcloud.jawmonster.com"],"from":1685469598,"to":1685663998}
2023-05-27T19:58:42.979658013Z {"level":"info","ts":1685217522.9793096,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-05-27T19:58:42.990047243Z {"level":"info","ts":1685217522.9897854,"logger":"tls","msg":"finished cleaning storage units"}
2023-05-28T19:58:42.993980139Z {"level":"info","ts":1685303922.993721,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-05-28T19:58:42.996773333Z {"level":"info","ts":1685303922.996581,"logger":"tls","msg":"finished cleaning storage units"}
2023-05-29T10:58:43.131562128Z {"level":"info","ts":1685357923.1313288,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["rss.jawmonster.com"],"from":1685656798,"to":1685959198}
2023-05-29T12:58:43.194312398Z {"level":"info","ts":1685365123.1940148,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["nextcloud.jawmonster.com"],"from":1685663998,"to":1685789998}
2023-05-29T17:58:43.112265909Z {"level":"info","ts":1685383123.1119404,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["jawmonster.com"],"from":1685681998,"to":1685897998}
2023-05-29T19:58:43.027942209Z {"level":"info","ts":1685390323.027571,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-05-29T19:58:43.030906034Z {"level":"info","ts":1685390323.0306993,"logger":"tls","msg":"finished cleaning storage units"}
2023-05-30T19:58:42.978685796Z {"level":"info","ts":1685476722.9783936,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-05-30T19:58:42.981347021Z {"level":"info","ts":1685476722.9811497,"logger":"tls","msg":"finished cleaning storage units"}
2023-05-30T22:17:42.388228974Z {"level":"info","ts":1685485062.3876898,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
2023-05-30T22:17:42.390941356Z {"level":"warn","ts":1685485062.3905025,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
2023-05-30T22:17:42.469083792Z {"level":"info","ts":1685485062.4686198,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0003a25b0"}
2023-05-30T22:17:42.475034388Z {"level":"info","ts":1685485062.4748166,"logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
2023-05-30T22:17:42.475061974Z {"level":"info","ts":1685485062.4748447,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
2023-05-30T22:18:24.357569306Z {"level":"info","ts":1685485104.3574576,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
2023-05-30T22:18:24.361351243Z {"level":"warn","ts":1685485104.3612404,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":22}
2023-05-30T22:18:24.364013214Z {"level":"info","ts":1685485104.3639,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
2023-05-30T22:18:24.364418612Z {"level":"info","ts":1685485104.36431,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
2023-05-30T22:18:24.364435476Z {"level":"info","ts":1685485104.3643382,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2023-05-30T22:18:24.365264653Z {"level":"info","ts":1685485104.365188,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00050c690"}
2023-05-30T22:18:24.365934713Z {"level":"info","ts":1685485104.3658636,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["jawmonster.com","nextcloud.jawmonster.com","rss.jawmonster.com"]}
2023-05-30T22:18:25.530525663Z {"level":"info","ts":1685485105.5301964,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-05-30T22:18:25.530925640Z {"level":"info","ts":1685485105.5306847,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
2023-05-30T22:18:25.530950555Z {"level":"info","ts":1685485105.5308506,"msg":"serving initial configuration"}
2023-05-30T22:18:25.532423617Z {"level":"info","ts":1685485105.5323308,"logger":"tls","msg":"finished cleaning storage units"}
2023-05-31T22:18:25.530355032Z {"level":"info","ts":1685571505.530116,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-05-31T22:18:25.541842873Z {"level":"info","ts":1685571505.5416245,"logger":"tls","msg":"finished cleaning storage units"}
2023-06-01T22:18:24.529297446Z {"level":"info","ts":1685657904.528511,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["rss.jawmonster.com"],"from":1685959198,"to":1686261598}
2023-06-01T22:18:25.530570759Z {"level":"info","ts":1685657905.5302439,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-06-01T22:18:25.541719729Z {"level":"info","ts":1685657905.5414753,"logger":"tls","msg":"finished cleaning storage units"}
2023-06-02T05:24:12.014421507Z {"level":"info","ts":1685683452.0141723,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
2023-06-02T05:24:12.014465176Z {"level":"warn","ts":1685683452.0142562,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
2023-06-02T05:24:12.024973577Z {"level":"info","ts":1685683452.0245879,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc00050c690"}
2023-06-02T05:24:12.026754185Z {"level":"info","ts":1685683452.0266027,"logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
2023-06-02T05:24:12.026791925Z {"level":"info","ts":1685683452.026637,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
2023-06-02T05:24:12.832760444Z {"level":"info","ts":1685683452.83261,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
2023-06-02T05:24:12.835358621Z {"level":"warn","ts":1685683452.8352528,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":22}
2023-06-02T05:24:12.836374872Z {"level":"info","ts":1685683452.8362916,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
2023-06-02T05:24:12.836594210Z {"level":"info","ts":1685683452.8365257,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
2023-06-02T05:24:12.836606797Z {"level":"info","ts":1685683452.8365407,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2023-06-02T05:24:12.836648431Z {"level":"info","ts":1685683452.8366106,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000454690"}
2023-06-02T05:24:12.837847397Z {"level":"info","ts":1685683452.8377602,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-06-02T05:24:12.837861701Z {"level":"info","ts":1685683452.8377604,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["nextcloud.jawmonster.com","rss.jawmonster.com","jawmonster.com"]}
2023-06-02T05:24:12.839156164Z {"level":"info","ts":1685683452.8390398,"logger":"tls","msg":"finished cleaning storage units"}
2023-06-02T05:24:12.971325378Z {"level":"info","ts":1685683452.9711137,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
2023-06-02T05:24:12.971383609Z {"level":"info","ts":1685683452.9711592,"msg":"serving initial configuration"}
2023-06-02T19:37:33.830949481Z {"level":"error","ts":1685734653.8306277,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","error":"context canceled"}
2023-06-03T05:24:12.869325753Z {"level":"info","ts":1685769852.869048,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-06-03T05:24:12.882282171Z {"level":"info","ts":1685769852.8820112,"logger":"tls","msg":"finished cleaning storage units"}
2023-06-03T10:24:13.073627929Z {"level":"info","ts":1685787853.0730803,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["nextcloud.jawmonster.com"],"from":1686088798,"to":1686391198}
2023-06-03T10:24:13.156369188Z {"level":"info","ts":1685787853.1560512,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["jawmonster.com"],"from":1686088798,"to":1686358798}
2023-06-03T22:23:44.432054870Z {"level":"info","ts":1685831024.4319217,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
2023-06-03T22:23:44.432077339Z {"level":"warn","ts":1685831024.4319537,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
2023-06-03T22:23:44.436226842Z {"level":"info","ts":1685831024.4360683,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc000454690"}
2023-06-03T22:23:44.439348620Z {"level":"info","ts":1685831024.4387836,"logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
2023-06-03T22:23:44.439393954Z {"level":"info","ts":1685831024.4388304,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
2023-06-03T22:23:45.248033348Z {"level":"info","ts":1685831025.247925,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
2023-06-03T22:23:45.250782066Z {"level":"warn","ts":1685831025.2507095,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":22}
2023-06-03T22:23:45.252183724Z {"level":"info","ts":1685831025.252096,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
2023-06-03T22:23:45.252326057Z {"level":"info","ts":1685831025.2522776,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
2023-06-03T22:23:45.252450845Z {"level":"info","ts":1685831025.2522933,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2023-06-03T22:23:45.252460426Z {"level":"info","ts":1685831025.2523375,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004bc850"}
2023-06-03T22:23:45.253162873Z {"level":"info","ts":1685831025.2531235,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["nextcloud.jawmonster.com","rss.jawmonster.com","jawmonster.com"]}
2023-06-03T22:23:45.481778284Z {"level":"info","ts":1685831025.4815617,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-06-03T22:23:45.481825770Z {"level":"info","ts":1685831025.481621,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
2023-06-03T22:23:45.481844851Z {"level":"info","ts":1685831025.4816551,"msg":"serving initial configuration"}
2023-06-03T22:23:45.485143500Z {"level":"info","ts":1685831025.4849648,"logger":"tls","msg":"finished cleaning storage units"}

3. Caddy version:

v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

4. How I installed and ran Caddy:

docker run --name caddy\
  -p 80:80\
  -p 443:443\
  --restart unless-stopped\
  -v /var/lib/docker/volumes/caddy/data:/data\
  -v /var/lib/docker/volumes/caddy/config:/config\
  -v /var/lib/docker/volumes/caddy/etc/caddy:/etc/caddy\
  -v /var/lib/docker/volumes/caddy/www/index.html:/usr/share/caddy/index.html\
  --net staticIpMacVLAN\
  --ip 192.168.1.25\
  -d caddy

a. System environment:

  • Ubuntu 22.04.2 LTS
  • Docker version 20.10.18, build b40c2f6

b. Command:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

jawmonster.com {
	encode gzip

	reverse_proxy http://192.168.1.10

	header {
		# disable FLoC tracking
		Permissions-Policy interest-cohort=()

		# enable HSTS
		Strict-Transport-Security max-age=31536000;

		# disable clients from sniffing the media type
		X-Content-Type-Options nosniff

		# clickjacking protection
		X-Frame-Options DENY

		# keep referrer data off of HTTP connections
		Referrer-Policy no-referrer-when-downgrade

                # enable CSP
                Content-Security-Policy "default-src 'none'; style-src 'self'; script-src 'self'; font-src 'self'; img-src 'self'; form-action 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'none';"
	}
}

nextcloud.jawmonster.com {
	encode gzip

	rewrite /.well-known/carddav /remote.php/dav
	rewrite /.well-known/caldav /remote.php/dav

	reverse_proxy http://192.168.1.20

	header {
		# disable FLoC tracking
		Permissions-Policy interest-cohort=()

		# enable HSTS
		Strict-Transport-Security max-age=31536000;

		# disable clients from sniffing the media type
		X-Content-Type-Options nosniff

		# clickjacking protection
		X-Frame-Options DENY

		# keep referrer data off of HTTP connections
		Referrer-Policy no-referrer-when-downgrade

                # enable CSP
                Content-Security-Policy "default-src 'none'; style-src 'self'; script-src 'self'; font-src 'self'; img-src 'self'; form-action 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'none';"
	}
}

rss.jawmonster.com {
	encode gzip

	reverse_proxy http://192.168.1.21

	header {
		# disable FLoC tracking
		Permissions-Policy interest-cohort=()

		# enable HSTS
		Strict-Transport-Security max-age=31536000;

		# disable clients from sniffing the media type
		X-Content-Type-Options nosniff

		# clickjacking protection
		X-Frame-Options DENY

		# keep referrer data off of HTTP connections
		Referrer-Policy no-referrer-when-downgrade

                # enable CSP
                Content-Security-Policy "default-src 'none'; style-src 'self'; script-src 'self'; font-src 'self'; img-src 'self'; form-action 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'none';"
	}
}

5. Links to relevant resources:

My failed security test:

https://www.ssltrust.com/ssl-tools/website-security-check?domain=jawmonster.com#ssl

2

I don’t think that has anything to do with Caddy. I think your site was reported as being a phishing site for whatever reason. You can dispute it here: https://safebrowsing.google.com/safebrowsing/report_error/?tpl=mozilla&url=https%3A%2F%2Fjawmonster.com%2F

3

That could be, but the security test web site (under the links section) reports "We were Unable to Make a Secure Connection. Please be cautious when sharing any important information with this website” which might be why Google flagged the site - naturally you shouldn’t transmit credentials and other important data over non-secured connections.

Thanks.

4

Failure to connect doesn’t give itself to blacklisting. You might have inherited an IP formerly used by scammers, for example.

This ssl test, which I trust, gives you an A+: SSL Server Test: jawmonster.com (Powered by Qualys SSL Labs)

The other one must be broken. Sorry to say Caddy isn’t related to the blacklisting. (But that should be good news.)

1 Like
5

I guess I was worried that there was a new vulnerability and that my Caddy config was part of the problem. Thanks for your help!

I guess I get to deal with Google now… :roll_eyes:

6

Another reason for blacklisting can be a front page with links to another site. A lot of people running Emby (a media server similar to Plex) had this Google red flag, because their sites by default all look like Emby (which they are!) and so Google decided they were faking it. Since Emby redesigned their front page to use local resources instead of getting them from the Emby site, these reports have stopped.

Emby forum thread

Paul

2 Likes
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.