How to access Coolify's Reverse proxy configurations to correct spam redirection of websites?

[Fauzdar1]

Hi, I've a self-hosted Coolify set-up on my Ubuntu server. It has over 20 apps (NextJS, ReactJS & WordPress based) deployed and connected to various domains. Everything was working correctly till last night. Now, most of these domains are redirecting to some spam website phishing as CloudFlare.

I've tried deleting cache of the websites and re-deploying them, I've verified correct DNS settings to the domains, I've verified originality of the codebases.

The only thing I couldn't find anywhere is how Coolify is managing all these reverse proxy connections, a bridge which is most likely compromised.

[djsisson]

@Fauzdar1 check proxy dynamic files for any new entries.
the domain locations are read from the containers, so it can only be being overridden in dynamic files.

[Fauzdar1]

Output of Curl -v westcoastfloors.ca

*   Trying 172.67.181.220:80...
* TCP_NODELAY set
* Connected to westcoastfloors.ca (172.67.181.220) port 80 (#0)
> GET / HTTP/1.1
> Host: westcoastfloors.ca
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Mon, 24 Mar 2025 11:32:26 GMT
< Content-Type: text/html
< Content-Length: 167
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Mon, 24 Mar 2025 12:32:26 GMT
< Location: https://redic.magicitbd.com/
< Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zpTiLx00A3rGQ517dn8WUnLg8oCCeESME8TsQ0lgwEMYnAlXNK0W57LIU8vBhPJlCM5ObORLNVL5fdQLxIPBK7s6HlpoyBaH4FtYKxUNcxlgKf1WLo6g9ljYZYXLF3PCF3j5ols%3D"}],"group":"cf-nel","max_age":604800}
< NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< Server: cloudflare
< CF-RAY: 9255d913ca8bc7c7-DUS
< alt-svc: h3=":443"; ma=86400
< server-timing: cfL4;desc="?proto=TCP&rtt=1551&min_rtt=1551&rtt_var=775&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=82&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
< 
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>cloudflare</center>
</body>
</html>
* Connection #0 to host westcoastfloors.ca left intact

It mentions the URL it is redirecting to - https://redic.magicitbd.com/.

[djsisson]

can you check your cf account to see if the redirect has been added to your domains.
since the redirect is happening at cloudflare

[Fauzdar1]

Checked that too, no change in the configuration. Both of these accounts - Cloudflare and Coolify are behind 2-factor auth, so can't expect these to be compromised either.

[djsisson]

can you run sudo netstat -ntlp on your server

[Fauzdar1]

Found no suspicious entries here either.

But, I fiddled around with CloudFlare and it was not in the DNS settings. I checked the Audit Logs and somehow all these websites had their metadata changed (which you can't change from the panel, only through customer support, according to Google). Cloudflare was the last point to expect this, I'm in contact with their support.

Thank you very much for your efforts and support, @djsisson. I appreciate that, I hope I'll be of help too.