One simple way to block most web server attacks

As I wrote in my previous blog post I recently switched from Apache+Wordpress to Caddy+Hugo. But looking at the Caddy access log I was perplexed to see almost no attacks being logged. So I looked at the caddy.log. Bingo! It contains lots of warnings like this:

2018/11/14 16:32:26 [INFO] - No such site at :80 (Remote:, Referer: )
2018/11/14 17:45:02 [INFO] - No such site at :80 (Remote:, Referer: )

The issue is that those HTTP requests don’t include my web server hostname. Instead they have my IPv4 address or domain name in the HTTP headers. My Caddy config began like this:

localhost:80, {

Which means the Caddy web server will only accept requests for those two host names. All requests from web browsers or legitimate crawlers (Google, Bing, etc.) will put the correct hostname in the request headers. But most malware attacks do not specify the correct hostname. Under Apache those requests were still processed. Caddy, quite reasonably, rejects them outright.

Just to verify my conclusion I temporarily changed my Caddy config to begin with :80 { to accept requests for any hostname. Sure enough, I immediately started seeing attacks (e.g., illegitimate POST requests) in the access log. So the lesson is to always lock down your web server to reject any request with an invalid HTTP Host: header.