Feature request - reconsider easier wildcard certificates in Caddyfile?

DoTheEvo · March 19, 2023, 10:00am

3 years have passed since this topic came up. I am coming from selfhosted world, and where caddy is often enough used for reverse proxy.

I was reminded of this topic when a post came up about being able to see all declared subdomains for any domain. dnsdumpster.com

Wildcard would solve this bit of exposure, but its so damn ugly in the config. To be forced from get-go one layer deeper and have extra declarations
Guides/tutorials with this would also be less clean or harder to write/understood.

My wish would be declaration in global option and to apply to naked/root domain and all its subdomains. I think overwhelming majority of people dont have need to babysit root domain separately, so simpler it is - better. But I have limited hands on experience.

Just thought I ask, as maybe with more work put in to caddy in recent years, some easier way to make this happen came to light maybe.

francislavoie · March 19, 2023, 12:09pm

That pattern is the exact way it must be for Auto HTTPS to correctly apply. Please consider the JSON output of a Caddyfile with that pattern (run caddy adapt --pretty).

The rules for Auto HTTPS is that it reads top-level routes, looking for routes with host matchers. Those hosts are then automatically considered to create any relevant TLS automation policies if there aren’t already automation policies for those hostnames (subjects) already (there could already be some via tls config in the Caddyfile).

Because of that rule, if more specific sites are defined (i.e. a site foo.example.com) while a wildcard covering it also exists as a site (i.e. *.example.com) then Auto HTTPS will create an automation policy for foo.example.com as well because there’s nothing that prevents it from considering more-specific sites for automation.

Essentially what you’re asking for is to add more complexity to Caddy to get around these Auto HTTPS rules. That’s the thing we have a problem with. The code for Auto HTTPS is already very complicated and difficult to reason about. If we add more conditions or modes to it, it’ll be even worse.

In the case of wildcard certs, it feels like a “solved problem” already in the sense that there’s a pretty easy way to work around it by using a single site and having the host matchers inside of it to “hide” them from Auto HTTPS.

I’m not saying it’s not true that the config is not as ergonomic as we’d like regarding wildcard certs, you’re right that it is unfortunate. But it does feel hard to justify adding more complexity to an already complex system to improve it.

Regarding the reddit post, I disagree with the paranoia over CT logs. Domains are not secret information. You should be using authentication to prevent users you don’t want from reaching those services. It’s pretty easy now with options like forward_auth to set up single-sign-on for all your subdomains.

francislavoie · March 20, 2023, 9:20am

FYI I was doing some more thinking about it and there might be a path forwards but we can’t promise anything.

github.com/caddyserver/caddy

Auto HTTPS changes for better wildcard cert config ergonomics

opened 09:19AM - 20 Mar 23 UTC

francislavoie

discussion

Followup on https://github.com/caddyserver/caddy/issues/3200, sparked by https:/…/caddy.community/t/feature-request-reconsider-easier-wildcard-certificates-in-caddyfile/19348. See my reply on the forum question for context. The gist is that we want to be careful with the amount of complexity we introduce. So we need to find a _simple_ solution that doesn't complicate Automatic HTTPS too much. My current thought is we could add an new option to [`auto_https`](https://caddyserver.com/docs/caddyfile/options#auto-https) called (tentatively) `prefer_wildcard`. What this would do is change how Auto HTTPS collects hostnames from top-level routes, and what TLS automation policies it creates from those hostnames. Essentially, it would sort top-level hostnames according to specificity, then remove hostnames from the list if they're covered by another wildcard hostname in the list, and only make policies for the remainder. So `*.foo.com`, `bar.foo.com` and `baz.com` would result in two policies, only `*.foo.com` and `baz.com`. If a site uses `tls`, then it might still get its own automation policy (depending on the options used in the directive), so it would ignore using the wildcard cert. :warning: The problem is that the implementation _might_ be complex and too difficult to reason about in code. This is mainly thinking about the config surface and a rough ideation of how it could work, but I haven't studied the code to figure out exactly if it fits yet. So this is marked as a discussion for now until I (or someone else if they want to tackle this) look into it further at the code level. A Caddyfile config using this pattern could look like this, which is flatter than the current recommendation from https://caddyserver.com/docs/caddyfile/patterns#wildcard-certificates: ``` { auto_https prefer_wildcard } *.foo.com { tls { dns <provider> } # If a route reaches this site, then it wasn't # handled by another site block, so it's an unknown # subdomain, so you might close the connection. abort } foo.com { respond "FOO" } bar.foo.com { respond "BAR" } foobar.foo.com { # This would not use the wildcard cert tls /path/to/cert.crt /path/to/key.crt respond "FOOBAR" } barfoo.foo.com { # This would also cause the wildcard not to be used # because it would create a different automation policy tls { ca <ca_dir_url> } respond "FOOBAR" } baz.com { respond "BAZ } ```

DoTheEvo · March 20, 2023, 7:10pm

Well, caddy has been rock solid for me, so I would not trade that for cleaner config if it would bring up unnecessary complexity… so no pressure.

system · April 19, 2023, 7:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.