search

nextcloud / all-in-one

📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.
https://hub.docker.com/r/nextcloud/all-in-one
GNU Affero General Public License v3.0
4.63k stars 555 forks source link

Caddy seems to be open for arbitrary hostnames DNS challenges #4881

Closed Surfict closed 2 weeks ago

Surfict commented 2 weeks ago

Steps to reproduce

  1. Install Nextcloud AIO from scratch
  2. After a few days, check the logs of nextcloud/all-in-one container

Expected behavior

Not having logs of ACME challenges coming from anyone on the internet

Actual behavior

I have logs of ACME challenges coming from external requests

Host OS

Ubuntu 22.04.4

Nextcloud AIO version

Nextcloud AIO v8.1.0

Current channel

Other valuable info

This issue is following this discussion and this post on Caddy forums. It seems that the way Caddy is currently configured "anyone across the internet can craft an SNI request for arbitrary hostnames on your server and prompt an ACME challenge from your Caddy instance. This leaves you open to abuse and should be rectified. Upstream ACME providers will have rate limits to mitigate your server abusing theirs, but you may find yourself with cluttered logs and have your renewal attempts rejected later due to said rate limit abuse."

This is indeed what I experienced myself.

szaimen commented 2 weeks ago

It seems that the way Caddy is currently configured "anyone across the internet can craft an SNI request for arbitrary hostnames on your server and prompt an ACME challenge from your Caddy instance.

Yes, this is by design.

As I answered already in https://github.com/nextcloud/all-in-one/discussions/4820, if you do not want such things to be logged anymore, I would recommend putting the aio interface behind a vpn and/or not exposing it publicly.