Search code examples
caddycaddyfile

Generic domain part with fixed subdomain using Caddy and auto SSL?

I'd like to setup a Caddy server where the subdomain is static but the domain part is "wildcard", such as "api.*"

From my understanding of Caddy, the wildcard is possible for one part of the full domain (*.domain.com matches bar.domain.com but not foo.bar.domain.com).

Moreover, this configuration would automatically create a SSL certificates (which Caddy does in general, but I'm not sure here) for any new DNS entry that points to my server with a domain starting with "api.*".

The "*" here would be the domain directly, not any subdomain (it would work for api.domain.com, but not for api.foo.domain.com).

Is this something possible using a simple Caddy command (such as api.* { ... }, which I tried without luck), or does it need a more complex implementation?

Solution

  • I found a working solution with the help of the Caddy Community.

    Here's the code :

    {
    on_demand_tls {
        ask    https://static.site.com/domain/verify
        interval 2m
        burst 5 
    }
}

static.site.com {
    ...
}

:443 {
    tls {
        on_demand
    }

    // Your custom config, for instance:
    reverse_proxy * ... 
}

    The nifty part is the tls { on_demand } part for your generic HTTPS, which will create a certificate automatically. But, this can be abused by anyone that points one of their DNS entry to your server.

    So to avoid that, the Caddy community highly recommends you to set a on_demand_tls that will query an endpoint, and allow the SSL certificate to be created only if that endpoint returns true.

    NOTE: The ask is a GET request that DO NOT FOLLOW redirects! Anything but a 200 status code will be considered a failure, even a 3xx!

    The ask url will have the ?domain appended and will allow you to verify that domain against your logic, such as custom value in the domain like "starting by static.*", and verify that the domain exists in your database (for example).

    If your URL already contains some query parameter, don't worry, Caddy is clever enough to add them. (https://static.site.com/domain/verify?some=query will become https://static.site.com/domain/verify?some=query&domain={domain}.

    Caddy support https for the ask parameter, and that URL can also be external with no problems at all (no need for localhost or local server configuration).