I'd like to setup a Caddy server where the subdomain is static but the domain part is "wildcard", such as "api.*"
From my understanding of Caddy, the wildcard is possible for one part of the full domain (*.domain.com
matches bar.domain.com
but not foo.bar.domain.com
).
Moreover, this configuration would automatically create a SSL certificates (which Caddy does in general, but I'm not sure here) for any new DNS entry that points to my server with a domain starting with "api.
*".
The "*" here would be the domain directly, not any subdomain (it would work for api.domain.com
, but not for api.foo.domain.com
).
Is this something possible using a simple Caddy command (such as api.* { ... }
, which I tried without luck), or does it need a more complex implementation?
I found a working solution with the help of the Caddy Community.
Here's the code :
{
on_demand_tls {
ask https://static.site.com/domain/verify
interval 2m
burst 5
}
}
static.site.com {
...
}
:443 {
tls {
on_demand
}
// Your custom config, for instance:
reverse_proxy * ...
}
The nifty part is the tls { on_demand }
part for your generic HTTPS, which will create a certificate automatically. But, this can be abused by anyone that points one of their DNS entry to your server.
So to avoid that, the Caddy community highly recommends you to set a on_demand_tls
that will query an endpoint, and allow the SSL certificate to be created only if that endpoint returns true.
NOTE: The ask
is a GET request that DO NOT FOLLOW redirects! Anything but a 200 status code will be considered a failure, even a 3xx!
The ask
url will have the ?domain
appended and will allow you to verify that domain against your logic, such as custom value in the domain like "starting by static.*
", and verify that the domain exists in your database (for example).
If your URL already contains some query parameter, don't worry, Caddy is clever enough to add them. (https://static.site.com/domain/verify?some=query
will become https://static.site.com/domain/verify?some=query&domain={domain}
.
Caddy support https
for the ask
parameter, and that URL can also be external with no problems at all (no need for localhost or local server configuration).