Caddy serves wrong SSL cert

Question

I want to fix this information leakage (giving an attacker the opportunity to enumerate all the different hosts served on my webserver).

Does somebody know how to fix it or work around it?

Toby Allen · Answer 1 · 2018-10-25T12:02:33.340

0

You can simply specify a default response to any non existing domain.

:443 {
  root c:\websites\nowebsite\
  tls self_signed

 }

This will be served anytime you recieve a request for an otherwise non existant domain.

It is worth noting however that ALL lets encrypt certs are published online in Certificate Transparancy logs.

edited Oct 25 '18 at 12:02

answered Oct 24 '18 at 07:18

Toby Allen

Thanks Toby, I tried this but it didn't work. Caddy still serves random certs from other subdomains – Olaf Oct 25 '18 at 12:00
Sorry that's because I speciifed 433 instead of :443 using 443 (tls port) should work – Toby Allen Oct 25 '18 at 12:03

1 Answers1