Lately I get -almost on a daily basis- my Caddy Server IP banned. Looking at the Caddy log at the time the IP gets banned (=time from IP ban. Yaml) I see below (ignore the xxx in the url):
I think (but not sure as I don’t exactly understand how to interpret the data) that it happens somehow if I pull camera info in the HASS interface when I’m remote but this is all internal; within hass config I have cameras configured which pull their info on the local network)
Ah ok, no worries removed it, I thought you meant it was constantly accessing your service.
That looks very much the same as what I see but I dont use tokens so dont have that part on mine. Do you get failed authentication messages in your HA log?
If the caddy server is being banned and not the end user IP, you mustn’t be using X-Forwarded-For to allow HA to see the clients real IP?
I setup caddy about two years ago and it was a small miracle I got it going. I have below in my caddyfile when it comes to Hass. Any better way to do this?
https://xx.org:9123 {
header / {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always
# connect via HTTPS (do not use if only testing)
Strict-Transport-Security "max-age=31536000; includeSubdomains"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "SAMEORIGIN"
Referrer-Policy "same-origin"
}
tls /etc/letsencrypt/live/xxx.org/fullchain.pem /etc/letsencrypt/live/xxx.org/privkey.pem
proxy / 127.0.0.1:8123 {
websocket
header_upstream Host {host}
header_upstream X-Real-IP {remote}
header_upstream X-Forwarded-For {remote}
header_upstream X-Forwarded-Proto {scheme}
}
log /var/log/caddy-access.log {
rotate_size 20
rotate_age 14
rotate_keep 4
rotate_compress
}
errors stderr
}
https://:9123 {
tls self_signed
status 403 /
}
FYI the part at the bottom presents a fake self signed page if someone tries to access it via the IP not the full FQDN.
There is a lot on the forums about issues with X-Forwarded-For but this comes about from two angles, letting the user set the X-Forwarded-For address so they look to be internal, and also having a trusted network enabled for internal devices.
Ok, added the lines to config yaml and copied your caddy file 1:1 where everything xxx.org changed to my domain. I can access hass remotly so file seems to work fine. Let’s see if that solves the issue. You setup seems safer anyway…
I did not use tokens for the cams. I just have (also, next to user authentication) the API password method enabled. Hass then seems to autogenerate the tokens. This is a normal camera integration with Hass, pulling the feed from the cams so conceptually no login into Hass from the cams needed(?)