Applying configuration via wildcard

thonking · March 17, 2024, 3:50am

1. The problem I’m having:

I am trying to apply some configuration options that will apply to all subdomains via wildcard. For example, given sub.example.com, I want to apply configuration to all further subdomains in *.sub.example.com.

Now, I do have a block with *.sub.example.com, but it’s paired with *.example.com for wildcard certificates. I just want to apply configuration to *.sub.example.com, so I’ve tried creating a separate block for just that.

Note that I am not looking help for wildcard certs.

I believe that I might have to use matchers within the *.sub.example.com and *.example.com block, but I also am unaware how I should go about that.

2. Error messages and/or full log output:

If I create another block targeting just *.sub.example.com, caddy validate tells me:

Error: adapting config using caddyfile: ambiguous site definition: *.sub.example.com

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

a. System environment:

Ubuntu 22.04.4 LTS, amd64, bare metal

b. Command:

wget https://github.com/caddyserver/xcaddy/releases/download/v0.3.5/xcaddy_0.3.5_linux_amd64.deb
sudo apt install ./xcaddy_0.3.5_linux_amd64.deb
xcaddy build --with github.com/caddy-dns/cloudflare
caddy validate

c. Service/unit/compose file:

d. My complete Caddy config:

*.sub.example.com,
*.example.com {
    tls {
        dns cloudflare {env.CF_API_TOKEN}
    }
}

*.sub.example.com {
    @denied not client_ip private_ranges
    abort @denied
}

5. Links to relevant resources:

victor · March 17, 2024, 11:54am

You have the subdomain in both blocks. That won’t work.
This is what you should do

*.example.com {
    tls {
        dns cloudflare {env.CF_API_TOKEN}
    }
    @host1 host1.example.com
    handle @host1 {
        reverse_proxy 192.168.x.x
    }

    @host2 host host2.example.com 
    handle @host2 {
        reverse_proxy 192.168.1.x
    }
}

*.sub.example.com {
    @denied not client_ip private_ranges
    abort @denied
  
    @subhost1 host1.sub.example.com
    handle @subhost1 {
        reverse_proxy 192.168.x.x
    }

    @subhost2 host host2.sub.example.com
    handle @subhost2 {
        reverse_proxy 192.168.1.x
    }
}

francislavoie · March 17, 2024, 7:06pm

Correct, a site address can only appear once, not in two different site blocks.

If you want the dns config to apply to both, you can use snippets to deduplicate your config.

thonking · March 17, 2024, 9:43pm

Thanks for the information. I came to the same conclusion (re: only having one block per host) while waiting for an answer and eventually settled on something like:

*.sub.example.com,
*.example.com,
example.com {
    tls {
        dns cloudflare {env.CF_API_TOKEN}
    }

    @sub host sub.example.com *.sub.example.com
    handle @sub {
        @denied not client_ip private_ranges
        abort @denied
    }
}

I have yet to deploy this, but I think it looks correct. At least, caddy validate thinks the configuration is valid.

francislavoie · March 18, 2024, 12:26am

Seems fine, but obviously that config as-is won’t actually do anything with the HTTP requests (you’re not routing them to a proxy or file server or whatever).

system · April 17, 2024, 12:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.