diff --git a/deploy/caddy/Caddyfile b/deploy/caddy/Caddyfile index 80189f2..051940a 100644 --- a/deploy/caddy/Caddyfile +++ b/deploy/caddy/Caddyfile @@ -49,14 +49,15 @@ } # Honeypot decoy paths: classic vulnerability-scanner bait no real client ever - # requests. Route them to the gateway tagged with X-Scrabble-Honeypot so it logs - # the scanner hit and (in prod) bans the source IP. The inbound header is - # stripped first so a client cannot pre-set it — and even if it did, it would - # only ban itself. Keep this list in sync with no legitimate landing/app path. + # requests. Route them to the gateway tagged with X-Scrabble-Honeypot — the set + # replaces any client-supplied value — so it logs the scanner hit and (in prod) + # bans the source IP. (A delete + set in one block would not work: Caddy applies + # header_up deletions after sets, which would strip the tag we just set; the real + # endpoints instead strip the header in the @gateway block above.) Keep this list + # disjoint from every legitimate landing/app path. @honeypot path /.env /.git /.git/* /.aws/* /wp-login.php /wp-admin /wp-admin/* /phpmyadmin /phpmyadmin/* handle @honeypot { reverse_proxy gateway:8081 { - header_up -X-Scrabble-Honeypot header_up X-Scrabble-Honeypot 1 } }