-
Steps to reproduce
Expected behaviorNot having logs of ACME challenges coming from anyone on the internet Actual behaviorI have logs of ACME challenges coming from external requests Host OSUbuntu 22.04.4 Nextcloud AIO versionNextcloud AIO v8.1.0 Current channelOther valuable infoThis issue is following this discussion and this post on Caddy forums. It seems that the way Caddy is currently configured "anyone across the internet can craft an SNI request for arbitrary hostnames on your server and prompt an ACME challenge from your Caddy instance. This leaves you open to abuse and should be rectified. Upstream ACME providers will have rate limits to mitigate your server abusing theirs, but you may find yourself with cluttered logs and have your renewal attempts rejected later due to said rate limit abuse." This is indeed what I experienced myself. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
Yes, this is by design. As I answered already in #4820, if you do not want such things to be logged anymore, I would recommend putting the aio interface behind a vpn and/or not exposing it publicly. |
Beta Was this translation helpful? Give feedback.
-
|
Don't you think it should be at least mentioned somewhere, as by default this could lead people to have some problems renewing their domains ? |
Beta Was this translation helpful? Give feedback.
-
|
Feel free to add a Point below FAQ in the readme that explains this behaviour. |
Beta Was this translation helpful? Give feedback.
-
|
Done here : #4883 |
Beta Was this translation helpful? Give feedback.
-
@szaimen Could you expand on the reasoning behind this? Thanks |
Beta Was this translation helpful? Give feedback.
Yes, this is by design.
As I answered already in #4820, if you do not want such things to be logged anymore, I would recommend putting the aio interface behind a vpn and/or not exposing it publicly.