Generic hostname for SSL?

cx42net · January 27, 2022, 5:30pm

1. Caddy version (`caddy version`):

v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

2. How I run Caddy:

* {
    root * /var/www/static/
    file_server
}

a. System environment:

Debian 10

b. Command:

caddy run

3. The problem I’m having:

I’d like to configure Caddy to work with a fixed subdomain but variable domain, such as

static.* where * could be any domain.

This would point to a specific folder (not even customized per the domain, just a basic /var/www/static/

I can’t make it work. The SSL is not working even though I was hoping that if a hostname is pointing to Caddy, that means the DNS should be good and an automatic SSL should be executed.

So I tried with a full * as the hostname, but it still doesn’t work.

Put simply, I’m trying to have static.* work, regardless of the domain part. For instance, if you point static.example.com to my server, you should be able to serve the /var/www/static/ from my server with a valid SSL certificate.

(I’m aware of the implications and the risks related to this, and this is definitely on purpose: it’s for a server serving a unique txt file needed for DNS validation).

Thank you in advance for your help!

francislavoie · January 27, 2022, 6:23pm

Caddy needs to know the domain it attempts to have a certificate issued for. Caddy performs certificate maintenance in the background, and attempts to do so on startup. If there’s nothing useful in the config, then it can’t do that.

If you don’t know the domain names ahead of time, then you can enable On-Demand TLS:

Make sure to configure the ask endpoint as instructed, otherwise you risk DDoS attacks against your server; an attack could force your server to issue certificates for an infinite amount of domains.

cx42net · January 27, 2022, 7:41pm

That’s awesome! I love the idea!

Is it possible in the configuration file to restrict the subdomain and be sure it’s always “static.*” ?
This is one thing I want to be sure it will be.

Thank you in advance!

francislavoie · January 27, 2022, 7:51pm

That would be the job of your ask endpoint to restrict that. But you should make sure you only allow domains from your customers, and not just anyone, via a database lookup or whatever.

cx42net · January 28, 2022, 9:53am

Fantastic! Thank you very much!

system · February 26, 2022, 5:30pm

This topic was automatically closed after 30 days. New replies are no longer allowed.