Closed Surfict closed 2 weeks ago
It seems that the way Caddy is currently configured "anyone across the internet can craft an SNI request for arbitrary hostnames on your server and prompt an ACME challenge from your Caddy instance.
Yes, this is by design.
As I answered already in https://github.com/nextcloud/all-in-one/discussions/4820, if you do not want such things to be logged anymore, I would recommend putting the aio interface behind a vpn and/or not exposing it publicly.
Steps to reproduce
Expected behavior
Not having logs of ACME challenges coming from anyone on the internet
Actual behavior
I have logs of ACME challenges coming from external requests
Host OS
Ubuntu 22.04.4
Nextcloud AIO version
Nextcloud AIO v8.1.0
Current channel
Other valuable info
This issue is following this discussion and this post on Caddy forums. It seems that the way Caddy is currently configured "anyone across the internet can craft an SNI request for arbitrary hostnames on your server and prompt an ACME challenge from your Caddy instance. This leaves you open to abuse and should be rectified. Upstream ACME providers will have rate limits to mitigate your server abusing theirs, but you may find yourself with cluttered logs and have your renewal attempts rejected later due to said rate limit abuse."
This is indeed what I experienced myself.