1. The problem I’m having:
I’ve been running a Caddy reverse proxy in a Docker for my home server successfully for some time. With a recent Chrome update, Google is reporting my site as “Deceptive site ahead”. I ran a free security check on ssltrust.com and it came back as “We were Unable to Make a Secure Connection. Please be cautious when sharing any important information with this website.”
I think this may be why Google has decided to blacklist my site.
2. Error messages and/or full log output:
25T22:28:43.447607298Z {"level":"info","ts":1685053723.4473026,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"rss.jawmonster.com","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
2023-05-25T22:28:43.700587855Z {"level":"info","ts":1685053723.7003298,"logger":"tls","msg":"served key authentication certificate","server_name":"rss.jawmonster.com","challenge":"tls-alpn-01","remote":"23.178.112.107:63656","distributed":false}
2023-05-25T22:28:43.743349619Z {"level":"info","ts":1685053723.7431276,"logger":"tls","msg":"served key authentication certificate","server_name":"rss.jawmonster.com","challenge":"tls-alpn-01","remote":"18.117.220.38:19926","distributed":false}
2023-05-25T22:28:43.756796918Z {"level":"info","ts":1685053723.7565575,"logger":"tls","msg":"served key authentication certificate","server_name":"rss.jawmonster.com","challenge":"tls-alpn-01","remote":"52.13.125.183:14362","distributed":false}
2023-05-25T22:28:44.085970603Z {"level":"info","ts":1685053724.085693,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/429651330/184519180057"}
2023-05-25T22:28:44.439754016Z {"level":"info","ts":1685053724.4394236,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/03931e91e6fa79f710d41067b26afb747d7e"}
2023-05-25T22:28:44.440733581Z {"level":"info","ts":1685053724.4405355,"logger":"tls.renew","msg":"certificate renewed successfully","identifier":"rss.jawmonster.com"}
2023-05-25T22:28:44.440786246Z {"level":"info","ts":1685053724.4405704,"logger":"tls.renew","msg":"releasing lock","identifier":"rss.jawmonster.com"}
2023-05-25T22:28:44.441121633Z {"level":"info","ts":1685053724.440901,"logger":"tls","msg":"reloading managed certificate","identifiers":["rss.jawmonster.com"]}
2023-05-25T22:28:44.594527117Z {"level":"info","ts":1685053724.594223,"logger":"tls.cache","msg":"replaced certificate in cache","subjects":["rss.jawmonster.com"],"new_expiration":1692826123}
2023-05-26T03:33:07.341419590Z {"level":"error","ts":1685071987.341114,"logger":"tls","msg":"tls-alpn challenge","server_name":"","error":"no information found to solve challenge for identifier: "}
2023-05-26T05:58:43.139707839Z {"level":"info","ts":1685080723.1388607,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["jawmonster.com"],"from":1685379598,"to":1685681998}
2023-05-26T19:58:42.982585617Z {"level":"info","ts":1685131122.9822605,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-05-26T19:58:42.992184485Z {"level":"info","ts":1685131122.99191,"logger":"tls","msg":"finished cleaning storage units"}
2023-05-27T06:58:43.153940646Z {"level":"info","ts":1685170723.153635,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["nextcloud.jawmonster.com"],"from":1685469598,"to":1685663998}
2023-05-27T19:58:42.979658013Z {"level":"info","ts":1685217522.9793096,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-05-27T19:58:42.990047243Z {"level":"info","ts":1685217522.9897854,"logger":"tls","msg":"finished cleaning storage units"}
2023-05-28T19:58:42.993980139Z {"level":"info","ts":1685303922.993721,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-05-28T19:58:42.996773333Z {"level":"info","ts":1685303922.996581,"logger":"tls","msg":"finished cleaning storage units"}
2023-05-29T10:58:43.131562128Z {"level":"info","ts":1685357923.1313288,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["rss.jawmonster.com"],"from":1685656798,"to":1685959198}
2023-05-29T12:58:43.194312398Z {"level":"info","ts":1685365123.1940148,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["nextcloud.jawmonster.com"],"from":1685663998,"to":1685789998}
2023-05-29T17:58:43.112265909Z {"level":"info","ts":1685383123.1119404,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["jawmonster.com"],"from":1685681998,"to":1685897998}
2023-05-29T19:58:43.027942209Z {"level":"info","ts":1685390323.027571,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-05-29T19:58:43.030906034Z {"level":"info","ts":1685390323.0306993,"logger":"tls","msg":"finished cleaning storage units"}
2023-05-30T19:58:42.978685796Z {"level":"info","ts":1685476722.9783936,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-05-30T19:58:42.981347021Z {"level":"info","ts":1685476722.9811497,"logger":"tls","msg":"finished cleaning storage units"}
2023-05-30T22:17:42.388228974Z {"level":"info","ts":1685485062.3876898,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
2023-05-30T22:17:42.390941356Z {"level":"warn","ts":1685485062.3905025,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
2023-05-30T22:17:42.469083792Z {"level":"info","ts":1685485062.4686198,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0003a25b0"}
2023-05-30T22:17:42.475034388Z {"level":"info","ts":1685485062.4748166,"logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
2023-05-30T22:17:42.475061974Z {"level":"info","ts":1685485062.4748447,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
2023-05-30T22:18:24.357569306Z {"level":"info","ts":1685485104.3574576,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
2023-05-30T22:18:24.361351243Z {"level":"warn","ts":1685485104.3612404,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":22}
2023-05-30T22:18:24.364013214Z {"level":"info","ts":1685485104.3639,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
2023-05-30T22:18:24.364418612Z {"level":"info","ts":1685485104.36431,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
2023-05-30T22:18:24.364435476Z {"level":"info","ts":1685485104.3643382,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2023-05-30T22:18:24.365264653Z {"level":"info","ts":1685485104.365188,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00050c690"}
2023-05-30T22:18:24.365934713Z {"level":"info","ts":1685485104.3658636,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["jawmonster.com","nextcloud.jawmonster.com","rss.jawmonster.com"]}
2023-05-30T22:18:25.530525663Z {"level":"info","ts":1685485105.5301964,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-05-30T22:18:25.530925640Z {"level":"info","ts":1685485105.5306847,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
2023-05-30T22:18:25.530950555Z {"level":"info","ts":1685485105.5308506,"msg":"serving initial configuration"}
2023-05-30T22:18:25.532423617Z {"level":"info","ts":1685485105.5323308,"logger":"tls","msg":"finished cleaning storage units"}
2023-05-31T22:18:25.530355032Z {"level":"info","ts":1685571505.530116,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-05-31T22:18:25.541842873Z {"level":"info","ts":1685571505.5416245,"logger":"tls","msg":"finished cleaning storage units"}
2023-06-01T22:18:24.529297446Z {"level":"info","ts":1685657904.528511,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["rss.jawmonster.com"],"from":1685959198,"to":1686261598}
2023-06-01T22:18:25.530570759Z {"level":"info","ts":1685657905.5302439,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-06-01T22:18:25.541719729Z {"level":"info","ts":1685657905.5414753,"logger":"tls","msg":"finished cleaning storage units"}
2023-06-02T05:24:12.014421507Z {"level":"info","ts":1685683452.0141723,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
2023-06-02T05:24:12.014465176Z {"level":"warn","ts":1685683452.0142562,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
2023-06-02T05:24:12.024973577Z {"level":"info","ts":1685683452.0245879,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc00050c690"}
2023-06-02T05:24:12.026754185Z {"level":"info","ts":1685683452.0266027,"logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
2023-06-02T05:24:12.026791925Z {"level":"info","ts":1685683452.026637,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
2023-06-02T05:24:12.832760444Z {"level":"info","ts":1685683452.83261,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
2023-06-02T05:24:12.835358621Z {"level":"warn","ts":1685683452.8352528,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":22}
2023-06-02T05:24:12.836374872Z {"level":"info","ts":1685683452.8362916,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
2023-06-02T05:24:12.836594210Z {"level":"info","ts":1685683452.8365257,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
2023-06-02T05:24:12.836606797Z {"level":"info","ts":1685683452.8365407,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2023-06-02T05:24:12.836648431Z {"level":"info","ts":1685683452.8366106,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000454690"}
2023-06-02T05:24:12.837847397Z {"level":"info","ts":1685683452.8377602,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-06-02T05:24:12.837861701Z {"level":"info","ts":1685683452.8377604,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["nextcloud.jawmonster.com","rss.jawmonster.com","jawmonster.com"]}
2023-06-02T05:24:12.839156164Z {"level":"info","ts":1685683452.8390398,"logger":"tls","msg":"finished cleaning storage units"}
2023-06-02T05:24:12.971325378Z {"level":"info","ts":1685683452.9711137,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
2023-06-02T05:24:12.971383609Z {"level":"info","ts":1685683452.9711592,"msg":"serving initial configuration"}
2023-06-02T19:37:33.830949481Z {"level":"error","ts":1685734653.8306277,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","error":"context canceled"}
2023-06-03T05:24:12.869325753Z {"level":"info","ts":1685769852.869048,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-06-03T05:24:12.882282171Z {"level":"info","ts":1685769852.8820112,"logger":"tls","msg":"finished cleaning storage units"}
2023-06-03T10:24:13.073627929Z {"level":"info","ts":1685787853.0730803,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["nextcloud.jawmonster.com"],"from":1686088798,"to":1686391198}
2023-06-03T10:24:13.156369188Z {"level":"info","ts":1685787853.1560512,"logger":"tls.cache.maintenance","msg":"advancing OCSP staple","identifiers":["jawmonster.com"],"from":1686088798,"to":1686358798}
2023-06-03T22:23:44.432054870Z {"level":"info","ts":1685831024.4319217,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
2023-06-03T22:23:44.432077339Z {"level":"warn","ts":1685831024.4319537,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
2023-06-03T22:23:44.436226842Z {"level":"info","ts":1685831024.4360683,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc000454690"}
2023-06-03T22:23:44.439348620Z {"level":"info","ts":1685831024.4387836,"logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
2023-06-03T22:23:44.439393954Z {"level":"info","ts":1685831024.4388304,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
2023-06-03T22:23:45.248033348Z {"level":"info","ts":1685831025.247925,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
2023-06-03T22:23:45.250782066Z {"level":"warn","ts":1685831025.2507095,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":22}
2023-06-03T22:23:45.252183724Z {"level":"info","ts":1685831025.252096,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
2023-06-03T22:23:45.252326057Z {"level":"info","ts":1685831025.2522776,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
2023-06-03T22:23:45.252450845Z {"level":"info","ts":1685831025.2522933,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2023-06-03T22:23:45.252460426Z {"level":"info","ts":1685831025.2523375,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004bc850"}
2023-06-03T22:23:45.253162873Z {"level":"info","ts":1685831025.2531235,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["nextcloud.jawmonster.com","rss.jawmonster.com","jawmonster.com"]}
2023-06-03T22:23:45.481778284Z {"level":"info","ts":1685831025.4815617,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
2023-06-03T22:23:45.481825770Z {"level":"info","ts":1685831025.481621,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
2023-06-03T22:23:45.481844851Z {"level":"info","ts":1685831025.4816551,"msg":"serving initial configuration"}
2023-06-03T22:23:45.485143500Z {"level":"info","ts":1685831025.4849648,"logger":"tls","msg":"finished cleaning storage units"}
3. Caddy version:
v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=
4. How I installed and ran Caddy:
docker run --name caddy\
-p 80:80\
-p 443:443\
--restart unless-stopped\
-v /var/lib/docker/volumes/caddy/data:/data\
-v /var/lib/docker/volumes/caddy/config:/config\
-v /var/lib/docker/volumes/caddy/etc/caddy:/etc/caddy\
-v /var/lib/docker/volumes/caddy/www/index.html:/usr/share/caddy/index.html\
--net staticIpMacVLAN\
--ip 192.168.1.25\
-d caddy
a. System environment:
- Ubuntu 22.04.2 LTS
- Docker version 20.10.18, build b40c2f6
b. Command:
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
c. Service/unit/compose file:
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
d. My complete Caddy config:
jawmonster.com {
encode gzip
reverse_proxy http://192.168.1.10
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security max-age=31536000;
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection
X-Frame-Options DENY
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
# enable CSP
Content-Security-Policy "default-src 'none'; style-src 'self'; script-src 'self'; font-src 'self'; img-src 'self'; form-action 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'none';"
}
}
nextcloud.jawmonster.com {
encode gzip
rewrite /.well-known/carddav /remote.php/dav
rewrite /.well-known/caldav /remote.php/dav
reverse_proxy http://192.168.1.20
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security max-age=31536000;
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection
X-Frame-Options DENY
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
# enable CSP
Content-Security-Policy "default-src 'none'; style-src 'self'; script-src 'self'; font-src 'self'; img-src 'self'; form-action 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'none';"
}
}
rss.jawmonster.com {
encode gzip
reverse_proxy http://192.168.1.21
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security max-age=31536000;
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection
X-Frame-Options DENY
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
# enable CSP
Content-Security-Policy "default-src 'none'; style-src 'self'; script-src 'self'; font-src 'self'; img-src 'self'; form-action 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'none';"
}
}
5. Links to relevant resources:
My failed security test:
https://www.ssltrust.com/ssl-tools/website-security-check?domain=jawmonster.com#ssl