1

I'd like to setup a Caddy server where the subdomain is static but the domain part is "wildcard", such as "api.*"

From my understanding of Caddy, the wildcard is possible for one part of the full domain (*.domain.com matches bar.domain.com but not foo.bar.domain.com).

Moreover, this configuration would automatically create a SSL certificates (which Caddy does in general, but I'm not sure here) for any new DNS entry that points to my server with a domain starting with "api.*".

The "*" here would be the domain directly, not any subdomain (it would work for api.domain.com, but not for api.foo.domain.com).

Is this something possible using a simple Caddy command (such as api.* { ... }, which I tried without luck), or does it need a more complex implementation?

halfer
  • 19,824
  • 17
  • 99
  • 186
Cyril N.
  • 38,875
  • 36
  • 142
  • 243

2 Answers2

1

I found a working solution with the help of the Caddy Community.

Here's the code :

{
    on_demand_tls {
        ask    https://static.site.com/domain/verify
        interval 2m
        burst 5 
    }
}

static.site.com {
    ...
}

:443 {
    tls {
        on_demand
    }

    // Your custom config, for instance:
    reverse_proxy * ... 
}

The nifty part is the tls { on_demand } part for your generic HTTPS, which will create a certificate automatically. But, this can be abused by anyone that points one of their DNS entry to your server.

So to avoid that, the Caddy community highly recommends you to set a on_demand_tls that will query an endpoint, and allow the SSL certificate to be created only if that endpoint returns true.

NOTE: The ask is a GET request that DO NOT FOLLOW redirects! Anything but a 200 status code will be considered a failure, even a 3xx!

The ask url will have the ?domain appended and will allow you to verify that domain against your logic, such as custom value in the domain like "starting by static.*", and verify that the domain exists in your database (for example).

If your URL already contains some query parameter, don't worry, Caddy is clever enough to add them. (https://static.site.com/domain/verify?some=query will become https://static.site.com/domain/verify?some=query&domain={domain}.

Caddy support https for the ask parameter, and that URL can also be external with no problems at all (no need for localhost or local server configuration).

Cyril N.
  • 38,875
  • 36
  • 142
  • 243
0

I met the same problem, and after 1 day's stucking, here is my solution:

Assuming the site name is: site.com, and I want caddy handle these domains for me:

  • a.dot.site.com

  • b.dot.site.com

  • c.dot.site.com

  • a.eth.site.com

  • b.eth.site.com

  • c.eth.site.com

1.make sure you set SSL access available. e.g. via cloudflare:

enter image description here

2.set the A address pointing to your Caddy server's IP.

enter image description here

2.Caddy file should looks like:

# the key is: you have to list all the patterns for your multiple subdomains
*.site.com *.eth.site.com *.dot.site.com {
  reverse_proxy 127.0.0.1:4567

  log {
    output file /var/log/access-wildcard-site.com.log
  }

  tls {
    dns cloudflare <your cloud flare api key>
  }

}
Siwei
  • 19,858
  • 7
  • 75
  • 95