Porkbun wildcard DNS

Help
1

1. The problem I’m having:

DNS-01 challenge on Caddy(v2.10.1), running on Opnsense, for wildcard domain *.maru.makkan.homes on Porkbun results in

"debug","ts":"2025-07-01T04:40:54Z","logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.20:62947: no certificate available for 'test.maru.makkan.homes'"}

Note, acme provider is in staging area for the purpose of testing this config. I switch it to normal/production by commenting out the problematic section

It may be an issue of not knowing how best to configure the DNS Records in Porkbun. Relevant bits in Porkbun records:

  • A record for maru.makkan.homes pointing to my ingress IPv4
  • CNAME record *.maru.makkan.homes pointing to maru.makkan.homes

Your help and guidance would be much appreciated!

2. Error messages and/or full log output:


<15>1 2025-06-30T21:35:23-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="423"] "debug","ts":"2025-07-01T04:35:23Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"350c2562-c0ae-4be6-bf77-7e410f31149f","origin":"tls","data":{"client_hello":{"CipherSuites":[51914,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"ServerName":"test.maru.makkan.homes","SupportedCurves":[31354,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[35466,772,771,770,769],"RemoteAddr":{"IP":"192.168.0.20","Port":62899,"Zone":""},"LocalAddr":{"IP":"192.168.0.1","Port":443,"Zone":""}}}}
<15>1 2025-06-30T21:35:23-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="424"] "debug","ts":"2025-07-01T04:35:23Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"test.maru.makkan.homes"}
<15>1 2025-06-30T21:35:23-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="425"] "debug","ts":"2025-07-01T04:35:23Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.maru.makkan.homes"}
<15>1 2025-06-30T21:35:23-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="426"] "debug","ts":"2025-07-01T04:35:23Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.makkan.homes"}
<15>1 2025-06-30T21:35:23-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="427"] "debug","ts":"2025-07-01T04:35:23Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.homes"}
<15>1 2025-06-30T21:35:23-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="428"] "debug","ts":"2025-07-01T04:35:23Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
<15>1 2025-06-30T21:35:23-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="429"] "debug","ts":"2025-07-01T04:35:23Z","logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.20","remote_port":"62899","server_name":"test.maru.makkan.homes","remote":"192.168.0.20:62899","identifier":"test.maru.makkan.homes","cipher_suites":[51914,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"cert_cache_fill":0.0006,"load_or_obtain_if_necessary":true,"on_demand":false}
<11>1 2025-06-30T21:35:23-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="430"] "debug","ts":"2025-07-01T04:35:23Z","logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.20:62899: no certificate available for 'test.maru.makkan.homes'"}
<15>1 2025-06-30T21:35:28-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="431"] "debug","ts":"2025-07-01T04:35:28Z","logger":"admin.api","msg":"received request","method":"GET","host":"192.168.100.1:2019","uri":"/metrics","remote_ip":"192.168.100.6","remote_port":"54462","headers":{"Accept":["application/openmetrics-text;version=1.0.0;escaping=allow-utf-8;q=0.6,application/openmetrics-text;version=0.0.1;escaping=allow-utf-8;q=0.5,text/plain;version=1.0.0;escaping=allow-utf-8;escaping=allow-utf-8;q=0.4,text/plain;version=0.0.4;escaping=allow-utf-8;q=0.3,*/*;q=0.2"],"Accept-Encoding":["gzip"],"User-Agent":["Prometheus/3.1.0"],"X-Prometheus-Scrape-Timeout-Seconds":["10"]}}
<15>1 2025-06-30T21:35:58-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="432"] "debug","ts":"2025-07-01T04:35:58Z","logger":"admin.api","msg":"received request","method":"GET","host":"192.168.100.1:2019","uri":"/metrics","remote_ip":"192.168.100.6","remote_port":"54462","headers":{"Accept":["application/openmetrics-text;version=1.0.0;escaping=allow-utf-8;q=0.6,application/openmetrics-text;version=0.0.1;escaping=allow-utf-8;q=0.5,text/plain;version=1.0.0;escaping=allow-utf-8;escaping=allow-utf-8;q=0.4,text/plain;version=0.0.4;escaping=allow-utf-8;q=0.3,*/*;q=0.2"],"Accept-Encoding":["gzip"],"User-Agent":["Prometheus/3.1.0"],"X-Prometheus-Scrape-Timeout-Seconds":["10"]}}
<15>1 2025-06-30T21:36:28-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="433"] "debug","ts":"2025-07-01T04:36:28Z","logger":"admin.api","msg":"received request","method":"GET","host":"192.168.100.1:2019","uri":"/metrics","remote_ip":"192.168.100.6","remote_port":"54462","headers":{"Accept":["application/openmetrics-text;version=1.0.0;escaping=allow-utf-8;q=0.6,application/openmetrics-text;version=0.0.1;escaping=allow-utf-8;q=0.5,text/plain;version=1.0.0;escaping=allow-utf-8;escaping=allow-utf-8;q=0.4,text/plain;version=0.0.4;escaping=allow-utf-8;q=0.3,*/*;q=0.2"],"Accept-Encoding":["gzip"],"User-Agent":["Prometheus/3.1.0"],"X-Prometheus-Scrape-Timeout-Seconds":["10"]}}
<14>1 2025-06-30T21:36:43-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="434"] "info","ts":"2025-07-01T04:36:43Z","logger":"http.log.access","msg":"handled request","request":{"remote_ip":"192.168.0.26","remote_port":"42794","client_ip":"192.168.0.26","proto":"HTTP/1.1","method":"GET","host":"192.168.0.1","uri":"/","headers":{"Accept-Encoding":["gzip"],"User-Agent":["Dalvik/2.1.0 (Linux; U; Android 15; NE2215 Build/AP3A.240617.008)"],"Connection":["Keep-Alive"]}},"bytes_read":0,"user_id":"","duration":0.000044974,"size":0,"status":308,"resp_headers":{"Content-Type":[],"Server":["Caddy"],"Connection":["close"],"Location":["https://192.168.0.1/"]}}
<15>1 2025-06-30T21:36:58-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="435"] "debug","ts":"2025-07-01T04:36:58Z","logger":"admin.api","msg":"received request","method":"GET","host":"192.168.100.1:2019","uri":"/metrics","remote_ip":"192.168.100.6","remote_port":"54462","headers":{"Accept":["application/openmetrics-text;version=1.0.0;escaping=allow-utf-8;q=0.6,application/openmetrics-text;version=0.0.1;escaping=allow-utf-8;q=0.5,text/plain;version=1.0.0;escaping=allow-utf-8;escaping=allow-utf-8;q=0.4,text/plain;version=0.0.4;escaping=allow-utf-8;q=0.3,*/*;q=0.2"],"Accept-Encoding":["gzip"],"User-Agent":["Prometheus/3.1.0"],"X-Prometheus-Scrape-Timeout-Seconds":["10"]}}
<15>1 2025-06-30T21:37:28-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="436"] "debug","ts":"2025-07-01T04:37:28Z","logger":"admin.api","msg":"received request","method":"GET","host":"192.168.100.1:2019","uri":"/metrics","remote_ip":"192.168.100.6","remote_port":"54462","headers":{"Accept":["application/openmetrics-text;version=1.0.0;escaping=allow-utf-8;q=0.6,application/openmetrics-text;version=0.0.1;escaping=allow-utf-8;q=0.5,text/plain;version=1.0.0;escaping=allow-utf-8;escaping=allow-utf-8;q=0.4,text/plain;version=0.0.4;escaping=allow-utf-8;q=0.3,*/*;q=0.2"],"Accept-Encoding":["gzip"],"User-Agent":["Prometheus/3.1.0"],"X-Prometheus-Scrape-Timeout-Seconds":["10"]}}
<15>1 2025-06-30T21:37:58-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="437"] "debug","ts":"2025-07-01T04:37:58Z","logger":"admin.api","msg":"received request","method":"GET","host":"192.168.100.1:2019","uri":"/metrics","remote_ip":"192.168.100.6","remote_port":"54462","headers":{"Accept":["application/openmetrics-text;version=1.0.0;escaping=allow-utf-8;q=0.6,application/openmetrics-text;version=0.0.1;escaping=allow-utf-8;q=0.5,text/plain;version=1.0.0;escaping=allow-utf-8;escaping=allow-utf-8;q=0.4,text/plain;version=0.0.4;escaping=allow-utf-8;q=0.3,*/*;q=0.2"],"Accept-Encoding":["gzip"],"User-Agent":["Prometheus/3.1.0"],"X-Prometheus-Scrape-Timeout-Seconds":["10"]}}
<15>1 2025-06-30T21:38:28-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="438"] "debug","ts":"2025-07-01T04:38:28Z","logger":"admin.api","msg":"received request","method":"GET","host":"192.168.100.1:2019","uri":"/metrics","remote_ip":"192.168.100.6","remote_port":"54462","headers":{"Accept":["application/openmetrics-text;version=1.0.0;escaping=allow-utf-8;q=0.6,application/openmetrics-text;version=0.0.1;escaping=allow-utf-8;q=0.5,text/plain;version=1.0.0;escaping=allow-utf-8;escaping=allow-utf-8;q=0.4,text/plain;version=0.0.4;escaping=allow-utf-8;q=0.3,*/*;q=0.2"],"Accept-Encoding":["gzip"],"User-Agent":["Prometheus/3.1.0"],"X-Prometheus-Scrape-Timeout-Seconds":["10"]}}
<15>1 2025-06-30T21:38:58-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="439"] "debug","ts":"2025-07-01T04:38:58Z","logger":"admin.api","msg":"received request","method":"GET","host":"192.168.100.1:2019","uri":"/metrics","remote_ip":"192.168.100.6","remote_port":"54462","headers":{"Accept":["application/openmetrics-text;version=1.0.0;escaping=allow-utf-8;q=0.6,application/openmetrics-text;version=0.0.1;escaping=allow-utf-8;q=0.5,text/plain;version=1.0.0;escaping=allow-utf-8;escaping=allow-utf-8;q=0.4,text/plain;version=0.0.4;escaping=allow-utf-8;q=0.3,*/*;q=0.2"],"Accept-Encoding":["gzip"],"User-Agent":["Prometheus/3.1.0"],"X-Prometheus-Scrape-Timeout-Seconds":["10"]}}
<15>1 2025-06-30T21:39:28-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="440"] "debug","ts":"2025-07-01T04:39:28Z","logger":"admin.api","msg":"received request","method":"GET","host":"192.168.100.1:2019","uri":"/metrics","remote_ip":"192.168.100.6","remote_port":"54462","headers":{"Accept":["application/openmetrics-text;version=1.0.0;escaping=allow-utf-8;q=0.6,application/openmetrics-text;version=0.0.1;escaping=allow-utf-8;q=0.5,text/plain;version=1.0.0;escaping=allow-utf-8;escaping=allow-utf-8;q=0.4,text/plain;version=0.0.4;escaping=allow-utf-8;q=0.3,*/*;q=0.2"],"Accept-Encoding":["gzip"],"User-Agent":["Prometheus/3.1.0"],"X-Prometheus-Scrape-Timeout-Seconds":["10"]}}
<15>1 2025-06-30T21:39:30-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="441"] "debug","ts":"2025-07-01T04:39:30Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"37cd8c9b-8b44-4028-a841-d696a2ed9479","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"ServerName":"maru.makkan.homes","SupportedCurves":[4588,29,23,24,25,256,257],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,1025,1281,1537,515,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"192.168.0.20","Port":60703,"Zone":""},"LocalAddr":{"IP":"192.168.0.1","Port":443,"Zone":""}}}}
<15>1 2025-06-30T21:39:30-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="442"] "debug","ts":"2025-07-01T04:39:30Z","logger":"tls.handshake","msg":"choosing certificate","identifier":"maru.makkan.homes","num_choices":1}
<15>1 2025-06-30T21:39:30-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="443"] "debug","ts":"2025-07-01T04:39:30Z","logger":"tls.handshake","msg":"default certificate selection results","identifier":"maru.makkan.homes","subjects":["maru.makkan.homes"],"managed":true,"issuer_key":"acme-staging-v02.api.letsencrypt.org-directory","hash":"c99c49adfc8f41e87c8559f44f3ef03edb6670c94280c0fd09505e3245112f17"}
<15>1 2025-06-30T21:39:30-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="444"] "debug","ts":"2025-07-01T04:39:30Z","logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.0.20","remote_port":"60703","subjects":["maru.makkan.homes"],"managed":true,"expiration":"2025-09-28T16:34:29Z","hash":"c99c49adfc8f41e87c8559f44f3ef03edb6670c94280c0fd09505e3245112f17"}
<11>1 2025-06-30T21:39:30-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="445"] "debug","ts":"2025-07-01T04:39:30Z","logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.20:60703: remote error: tls: unknown certificate authority"}
<15>1 2025-06-30T21:39:33-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="446"] "debug","ts":"2025-07-01T04:39:33Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"01d5f503-8266-4cbe-aec8-cb2360171eed","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"ServerName":"maru.makkan.homes","SupportedCurves":[4588,29,23,24,25,256,257],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,1025,1281,1537,515,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"192.168.0.20","Port":60708,"Zone":""},"LocalAddr":{"IP":"192.168.0.1","Port":443,"Zone":""}}}}
<15>1 2025-06-30T21:39:33-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="447"] "debug","ts":"2025-07-01T04:39:33Z","logger":"tls.handshake","msg":"choosing certificate","identifier":"maru.makkan.homes","num_choices":1}
<15>1 2025-06-30T21:39:33-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="448"] "debug","ts":"2025-07-01T04:39:33Z","logger":"tls.handshake","msg":"default certificate selection results","identifier":"maru.makkan.homes","subjects":["maru.makkan.homes"],"managed":true,"issuer_key":"acme-staging-v02.api.letsencrypt.org-directory","hash":"c99c49adfc8f41e87c8559f44f3ef03edb6670c94280c0fd09505e3245112f17"}
<15>1 2025-06-30T21:39:33-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="449"] "debug","ts":"2025-07-01T04:39:33Z","logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.0.20","remote_port":"60708","subjects":["maru.makkan.homes"],"managed":true,"expiration":"2025-09-28T16:34:29Z","hash":"c99c49adfc8f41e87c8559f44f3ef03edb6670c94280c0fd09505e3245112f17"}
<15>1 2025-06-30T21:39:33-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="450"] "debug","ts":"2025-07-01T04:39:33Z","logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"docker-central.esco.ghaar:8080","total_upstreams":1}
<15>1 2025-06-30T21:39:33-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="451"] "debug","ts":"2025-07-01T04:39:33Z","logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"docker-central.esco.ghaar:8080","duration":0.002842302,"request":{"remote_ip":"192.168.0.20","remote_port":"60708","client_ip":"192.168.0.20","proto":"HTTP/2.0","method":"GET","host":"maru.makkan.homes","uri":"/","headers":{"X-Forwarded-For":["192.168.0.20"],"Via":["2.0 Caddy"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Site":["none"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Mode":["navigate"],"Dnt":["1"],"Cookie":["i_like_gitea=eec1b66e523a5192; _csrf=M38uW4UsSGn-I4UvUT2697ZhBuk6MTc1MTM0MTQ5ODU3MDQzODExMg"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:140.0) Gecko/20100101 Firefox/140.0"],"Priority":["u=0, i"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["maru.makkan.homes"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-User":["?1"],"Te":["trailers"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Sec-Gpc":["1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"maru.makkan.homes"}},"headers":{"Set-Cookie":["_csrf=E7aOsfUONQLBaEVf8Ue4IpoXgfo6MTc1MTM0NDc3MzU2NTIwNjU5Nw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax"],"X-Frame-Options":["SAMEORIGIN"],"Date":["Tue, 01 Jul 2025 04:39:33 GMT"],"Cache-Control":["max-age=0, private, must-revalidate, no-transform"],"Content-Type":["text/html; charset=utf-8"]},"status":200}
<15>1 2025-06-30T21:39:33-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="452"] "debug","ts":"2025-07-01T04:39:33Z","logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"docker-central.esco.ghaar:8080","total_upstreams":1}
<15>1 2025-06-30T21:39:33-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="453"] "debug","ts":"2025-07-01T04:39:33Z","logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"docker-central.esco.ghaar:8080","duration":0.000761206,"request":{"remote_ip":"192.168.0.20","remote_port":"60708","client_ip":"192.168.0.20","proto":"HTTP/2.0","method":"GET","host":"maru.makkan.homes","uri":"/assets/img/favicon.svg","headers":{"Dnt":["1"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-For":["192.168.0.20"],"X-Forwarded-Proto":["https"],"Via":["2.0 Caddy"],"Sec-Fetch-Dest":["image"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:140.0) Gecko/20100101 Firefox/140.0"],"Accept-Language":["en-US,en;q=0.5"],"Priority":["u=6"],"Cookie":["i_like_gitea=eec1b66e523a5192; _csrf=E7aOsfUONQLBaEVf8Ue4IpoXgfo6MTc1MTM0NDc3MzU2NTIwNjU5Nw"],"Sec-Fetch-Mode":["no-cors"],"X-Forwarded-Host":["maru.makkan.homes"],"Sec-Fetch-Site":["same-origin"],"Accept":["image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5"],"Sec-Gpc":["1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"maru.makkan.homes"}},"headers":{"Accept-Ranges":["bytes"],"Cache-Control":["public, max-age=21600, no-transform"],"Content-Encoding":["gzip"],"Content-Type":["image/svg+xml"],"Last-Modified":["Fri, 20 Jun 2025 20:16:58 GMT"],"Date":["Tue, 01 Jul 2025 04:39:33 GMT"],"Content-Length":["1040"]},"status":200}
<15>1 2025-06-30T21:39:58-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="454"] "debug","ts":"2025-07-01T04:39:58Z","logger":"admin.api","msg":"received request","method":"GET","host":"192.168.100.1:2019","uri":"/metrics","remote_ip":"192.168.100.6","remote_port":"54462","headers":{"Accept":["application/openmetrics-text;version=1.0.0;escaping=allow-utf-8;q=0.6,application/openmetrics-text;version=0.0.1;escaping=allow-utf-8;q=0.5,text/plain;version=1.0.0;escaping=allow-utf-8;escaping=allow-utf-8;q=0.4,text/plain;version=0.0.4;escaping=allow-utf-8;q=0.3,*/*;q=0.2"],"Accept-Encoding":["gzip"],"User-Agent":["Prometheus/3.1.0"],"X-Prometheus-Scrape-Timeout-Seconds":["10"]}}
<15>1 2025-06-30T21:40:28-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="455"] "debug","ts":"2025-07-01T04:40:28Z","logger":"admin.api","msg":"received request","method":"GET","host":"192.168.100.1:2019","uri":"/metrics","remote_ip":"192.168.100.6","remote_port":"54462","headers":{"Accept":["application/openmetrics-text;version=1.0.0;escaping=allow-utf-8;q=0.6,application/openmetrics-text;version=0.0.1;escaping=allow-utf-8;q=0.5,text/plain;version=1.0.0;escaping=allow-utf-8;escaping=allow-utf-8;q=0.4,text/plain;version=0.0.4;escaping=allow-utf-8;q=0.3,*/*;q=0.2"],"Accept-Encoding":["gzip"],"User-Agent":["Prometheus/3.1.0"],"X-Prometheus-Scrape-Timeout-Seconds":["10"]}}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="456"] "debug","ts":"2025-07-01T04:40:54Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"f4d48a97-fd04-4814-851a-655d37599e22","origin":"tls","data":{"client_hello":{"CipherSuites":[27242,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"ServerName":"test.maru.makkan.homes","SupportedCurves":[39578,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[39578,772,771,770,769],"RemoteAddr":{"IP":"192.168.0.20","Port":62946,"Zone":""},"LocalAddr":{"IP":"192.168.0.1","Port":443,"Zone":""}}}}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="457"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"test.maru.makkan.homes"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="458"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.maru.makkan.homes"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="459"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.makkan.homes"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="460"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.homes"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="461"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="462"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.20","remote_port":"62946","server_name":"test.maru.makkan.homes","remote":"192.168.0.20:62946","identifier":"test.maru.makkan.homes","cipher_suites":[27242,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"cert_cache_fill":0.0006,"load_or_obtain_if_necessary":true,"on_demand":false}
<11>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="463"] "debug","ts":"2025-07-01T04:40:54Z","logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.20:62946: no certificate available for 'test.maru.makkan.homes'"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="464"] "debug","ts":"2025-07-01T04:40:54Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"ee9f8a53-fed4-4c6e-a156-11119d1a43f0","origin":"tls","data":{"client_hello":{"CipherSuites":[6682,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"ServerName":"test.maru.makkan.homes","SupportedCurves":[14906,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[56026,772,771,770,769],"RemoteAddr":{"IP":"192.168.0.20","Port":62947,"Zone":""},"LocalAddr":{"IP":"192.168.0.1","Port":443,"Zone":""}}}}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="465"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"test.maru.makkan.homes"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="466"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.maru.makkan.homes"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="467"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.makkan.homes"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="468"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.homes"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="469"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="470"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.20","remote_port":"62947","server_name":"test.maru.makkan.homes","remote":"192.168.0.20:62947","identifier":"test.maru.makkan.homes","cipher_suites":[6682,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"cert_cache_fill":0.0006,"load_or_obtain_if_necessary":true,"on_demand":false}
<11>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="471"] "debug","ts":"2025-07-01T04:40:54Z","logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.20:62947: no certificate available for 'test.maru.makkan.homes'"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="472"] "debug","ts":"2025-07-01T04:40:54Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"e3e21a64-d9b2-4bfe-83c3-0d8f1193e2d7","origin":"tls","data":{"client_hello":{"CipherSuites":[64250,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"ServerName":"test.maru.makkan.homes","SupportedCurves":[39578,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[14906,772,771,770,769],"RemoteAddr":{"IP":"192.168.0.20","Port":62948,"Zone":""},"LocalAddr":{"IP":"192.168.0.1","Port":443,"Zone":""}}}}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="473"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"test.maru.makkan.homes"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="474"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.maru.makkan.homes"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="475"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.makkan.homes"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="476"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.homes"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="477"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="478"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.20","remote_port":"62948","server_name":"test.maru.makkan.homes","remote":"192.168.0.20:62948","identifier":"test.maru.makkan.homes","cipher_suites":[64250,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"cert_cache_fill":0.0006,"load_or_obtain_if_necessary":true,"on_demand":false}
<11>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="479"] "debug","ts":"2025-07-01T04:40:54Z","logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.20:62948: no certificate available for 'test.maru.makkan.homes'"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="480"] "debug","ts":"2025-07-01T04:40:54Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"241ac2a1-3642-45d6-963a-a5135d86cee9","origin":"tls","data":{"client_hello":{"CipherSuites":[31354,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"ServerName":"test.maru.makkan.homes","SupportedCurves":[27242,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[47802,772,771,770,769],"RemoteAddr":{"IP":"192.168.0.20","Port":62949,"Zone":""},"LocalAddr":{"IP":"192.168.0.1","Port":443,"Zone":""}}}}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="481"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"test.maru.makkan.homes"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="482"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.maru.makkan.homes"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="483"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.makkan.homes"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="484"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.homes"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="485"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
<15>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="486"] "debug","ts":"2025-07-01T04:40:54Z","logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.20","remote_port":"62949","server_name":"test.maru.makkan.homes","remote":"192.168.0.20:62949","identifier":"test.maru.makkan.homes","cipher_suites":[31354,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"cert_cache_fill":0.0006,"load_or_obtain_if_necessary":true,"on_demand":false}
<11>1 2025-06-30T21:40:54-07:00 MorikCage.esco.ghaar caddy - - [meta sequenceId="487"] "debug","ts":"2025-07-01T04:40:54Z","logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.20:62949: no certificate available for 'test.maru.makkan.homes'"}

3. Caddy version:

v2.10.0 h1:fonubSaQKF1YANl8TXqGcn4IbIRUDdfAkpcsfI/vX5U=

admin.api.load
admin.api.metrics
admin.api.pki
admin.api.reverse_proxy
caddy.adapters.caddyfile
caddy.config_loaders.http
caddy.filesystems
caddy.listeners.http_redirect
caddy.listeners.proxy_protocol
caddy.listeners.tls
caddy.logging.cores.mock
caddy.logging.encoders.append
caddy.logging.encoders.console
caddy.logging.encoders.filter
caddy.logging.encoders.filter.cookie
caddy.logging.encoders.filter.delete
caddy.logging.encoders.filter.hash
caddy.logging.encoders.filter.ip_mask
caddy.logging.encoders.filter.query
caddy.logging.encoders.filter.regexp
caddy.logging.encoders.filter.rename
caddy.logging.encoders.filter.replace
caddy.logging.encoders.json
caddy.logging.writers.discard
caddy.logging.writers.file
caddy.logging.writers.net
caddy.logging.writers.stderr
caddy.logging.writers.stdout
caddy.network_proxy.none
caddy.network_proxy.url
caddy.storage.file_system
events
http
http.authentication.hashes.bcrypt
http.authentication.providers.http_basic
http.encoders.gzip
http.encoders.zstd
http.handlers.acme_server
http.handlers.authentication
http.handlers.copy_response
http.handlers.copy_response_headers
http.handlers.encode
http.handlers.error
http.handlers.file_server
http.handlers.headers
http.handlers.intercept
http.handlers.invoke
http.handlers.log_append
http.handlers.map
http.handlers.metrics
http.handlers.push
http.handlers.request_body
http.handlers.reverse_proxy
http.handlers.rewrite
http.handlers.static_response
http.handlers.subroute
http.handlers.templates
http.handlers.tracing
http.handlers.vars
http.ip_sources.static
http.matchers.client_ip
http.matchers.expression
http.matchers.file
http.matchers.header
http.matchers.header_regexp
http.matchers.host
http.matchers.method
http.matchers.not
http.matchers.path
http.matchers.path_regexp
http.matchers.protocol
http.matchers.query
http.matchers.remote_ip
http.matchers.tls
http.matchers.vars
http.matchers.vars_regexp
http.precompressed.br
http.precompressed.gzip
http.precompressed.zstd
http.reverse_proxy.selection_policies.client_ip_hash
http.reverse_proxy.selection_policies.cookie
http.reverse_proxy.selection_policies.first
http.reverse_proxy.selection_policies.header
http.reverse_proxy.selection_policies.ip_hash
http.reverse_proxy.selection_policies.least_conn
http.reverse_proxy.selection_policies.query
http.reverse_proxy.selection_policies.random
http.reverse_proxy.selection_policies.random_choose
http.reverse_proxy.selection_policies.round_robin
http.reverse_proxy.selection_policies.uri_hash
http.reverse_proxy.selection_policies.weighted_round_robin
http.reverse_proxy.transport.fastcgi
http.reverse_proxy.transport.http
http.reverse_proxy.upstreams.a
http.reverse_proxy.upstreams.multi
http.reverse_proxy.upstreams.srv
pki
tls
tls.ca_pool.source.file
tls.ca_pool.source.http
tls.ca_pool.source.inline
tls.ca_pool.source.pki_intermediate
tls.ca_pool.source.pki_root
tls.ca_pool.source.storage
tls.certificates.automate
tls.certificates.load_files
tls.certificates.load_folders
tls.certificates.load_pem
tls.certificates.load_storage
tls.client_auth.verifier.leaf
tls.ech.publishers.dns
tls.get_certificate.http
tls.get_certificate.tailscale
tls.handshake_match.local_ip
tls.handshake_match.remote_ip
tls.handshake_match.sni
tls.handshake_match.sni_regexp
tls.issuance.acme
tls.issuance.internal
tls.issuance.zerossl
tls.leaf_cert_loader.file
tls.leaf_cert_loader.folder
tls.leaf_cert_loader.pem
tls.leaf_cert_loader.storage
tls.permission.http
tls.stek.distributed
tls.stek.standard

  Standard modules: 127

admin.api.crowdsec
caddy.listeners.layer4
caddy.logging.encoders.formatted
caddy.logging.encoders.transform
crowdsec
dns.providers.porkbun
dynamic_dns
dynamic_dns.ip_sources.interface
dynamic_dns.ip_sources.simple_http
dynamic_dns.ip_sources.static
dynamic_dns.ip_sources.upnp
http.handlers.appsec
http.handlers.crowdsec
http.handlers.rate_limit
http.reverse_proxy.transport.http_ntlm
layer4
layer4.handlers.echo
layer4.handlers.proxy
layer4.handlers.proxy_protocol
layer4.handlers.socks5
layer4.handlers.subroute
layer4.handlers.tee
layer4.handlers.throttle
layer4.handlers.tls
layer4.matchers.clock
layer4.matchers.crowdsec
layer4.matchers.dns
layer4.matchers.http
layer4.matchers.local_ip
layer4.matchers.not
layer4.matchers.openvpn
layer4.matchers.postgres
layer4.matchers.proxy_protocol
layer4.matchers.quic
layer4.matchers.rdp
layer4.matchers.regexp
layer4.matchers.remote_ip
layer4.matchers.remote_ip_list
layer4.matchers.socks4
layer4.matchers.socks5
layer4.matchers.ssh
layer4.matchers.tls
layer4.matchers.winbox
layer4.matchers.wireguard
layer4.matchers.xmpp
layer4.proxy.selection_policies.first
layer4.proxy.selection_policies.ip_hash
layer4.proxy.selection_policies.least_conn
layer4.proxy.selection_policies.random
layer4.proxy.selection_policies.random_choose
layer4.proxy.selection_policies.round_robin
tls.handshake_match.alpn

  Non-standard modules: 52

  Unknown modules: 0

4. How I installed and ran Caddy:

a. System environment:

FREEBSD 14.2-RELEASE-p3
OPNsense 25.4.1 (amd64)

b. Command:

configctl caddy start

c. Service/unit/compose file:

N/A

d. My complete Caddy config:

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
	log {
		output net unixgram//var/run/caddy/log.sock {
		}
		format json {
			time_format rfc3339
		}
	}

	servers {
		protocols h1 h2
		log_credentials
	}

	email <redacted>
	grace_period 10s
	acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
	debug
	admin 192.168.100.1:2019
	metrics
	
	#crowdsec
	crowdsec {
		api_url <redacted>
		api_key <redacted>
	ticker_interval 15s
       }
}

# Reverse Proxy Configuration


# Reverse Proxy Domain: "e09eca31-8d38-4ac6-acf6-b805479b12ee"
jarvis.makkan.homes {
	log {
		output file /var/log/caddy/access/e09eca31-8d38-4ac6-acf6-b805479b12ee.log {
			roll_keep_for 10d
		}
	}

	@08831d42-ad4c-40dc-a7d5-53af52ac6490_jarvismakkanhomes {
		not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
	}
	handle @08831d42-ad4c-40dc-a7d5-53af52ac6490_jarvismakkanhomes {
		abort
	}

	handle {
		reverse_proxy 192.168.100.6:11435 {
			header_up Host {http.reverse_proxy.upstream.hostport}
		}
	}
}
# Reverse Proxy Domain: "430d7cc8-429b-4e63-90c2-d7fd0e73ab1e"
photos.makkan.homes {
	log {
		output file /var/log/caddy/access/430d7cc8-429b-4e63-90c2-d7fd0e73ab1e.log {
			roll_keep_for 10d
		}
	}

	@08831d42-ad4c-40dc-a7d5-53af52ac6490_photosmakkanhomes {
		not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
	}
	handle @08831d42-ad4c-40dc-a7d5-53af52ac6490_photosmakkanhomes {
		abort
	}

	handle {
		reverse_proxy 192.168.100.20:2283 {
			header_up Host {http.reverse_proxy.upstream.hostport}
		}
	}
}
# Reverse Proxy Domain: "efb0d2a8-fe52-40ca-a129-124706ab584a"
documents.makkan.homes {
	log {
		output file /var/log/caddy/access/efb0d2a8-fe52-40ca-a129-124706ab584a.log {
			roll_keep_for 10d
		}
	}

	@08831d42-ad4c-40dc-a7d5-53af52ac6490_documentsmakkanhomes {
		not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
	}
	handle @08831d42-ad4c-40dc-a7d5-53af52ac6490_documentsmakkanhomes {
		abort
	}

	handle {
		reverse_proxy 192.168.100.23:10512 {
			header_up Host {http.reverse_proxy.upstream.hostport}
		}
	}
}
# Reverse Proxy Domain: "ccb7bdd0-7c05-4580-a1f3-099295530181"
movies.makkan.homes {
	log {
		output file /var/log/caddy/access/ccb7bdd0-7c05-4580-a1f3-099295530181.log {
			roll_keep_for 10d
		}
	}

	@08831d42-ad4c-40dc-a7d5-53af52ac6490_moviesmakkanhomes {
		not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
	}
	handle @08831d42-ad4c-40dc-a7d5-53af52ac6490_moviesmakkanhomes {
		abort
	}

	handle {
		reverse_proxy 192.168.100.19:8096 {
			header_up Host {http.reverse_proxy.upstream.hostport}
		}
	}
}

# UUID generated: 5627b022-7eff-473c-8e0a-5216ee67add2
https://liveliteandwell.com {
	log {
		output file /var/log/caddy/access/5627b022-7eff-473c-8e0a-5216ee67add2.log {
			roll_keep_for 10d
		}
	}

	#	rate_limit {
	#		zone dynamic_remote_ip_medium {
	#			key {http.request.remote_ip}
	#			events 50
	#			window 2s
	#		}
	#	}

	encode gzip zstd

	@cel_backend_node <<CEL
    ({method} == "GET" || {method} == "POST")
    && {path}.startsWith("/api/")
    CEL

	@cel_react <<CEL
    ({method} == "GET" || {method} == "POST")
    && ! {path}.startsWith("/api/")
    CEL

	route {
		# crowdsec based filtering
		crowdsec

		# WORKS: Backend node using non-HTTPS localhost
		reverse_proxy @cel_backend_node rp-tailscale.esco.ghaar:9000

		# REACT APP
		header -server
		reverse_proxy @cel_react rp-tailscale.esco.ghaar:3000 {
			header_up Host {http.reverse_proxy.upstream.hostport}

			#Cross-Origin-Embedder-Policy: require-corp
			header_down +Content-Security-Policy "default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data: https:;object-src 'none';script-src 'self' https://liveliteandwell.com;script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
			header_down +Cross-Origin-Opener-Policy "same-origin"
			header_down +Cross-Origin-Resource-Policy "same-origin"
			header_down +X-DNS-Prefetch-Control "off"
			header_down +X-Frame-Options "SAMEORIGIN"
			header_down +Strict-Transport-Security "max-age=15552000; includeSubDomains"
			header_down +X-Download-Options "noopen"
			header_down +X-Content-Type-Options "nosniff"
			header_down +Permissions-Policy "accelerometer=(), ambient-light-sensor, camera=(), gyroscope=(), magnetometer=(), microphone=(), geolocation=(), usb=()"
			#Origin-Agent-Cluster: ?1
			header_down +X-Permitted-Cross-Domain-Policies "none"
			header_down +Referrer-Policy "no-referrer"
			header_down +X-XSS-Protection "0"
		}
		respond 404
	}

	handle_errors {
		respond "{err.status_code} {err.status_text}"
	}
}

(no_external_access) {
	@fuck_off_world {
		not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
	}
	#respond @fuck_off_world 403
	handle @fuck_off_world {
		abort
	}
}

(log_file) {
	log {
		output file /var/log/caddy/access/maru.log {
			roll_keep_for 10d
		}
	}
}

maru.makkan.homes {
	import log_file
	import no_external_access

	@gitea host maru.makkan.homes
	        handle @gitea {
	                #respond "Gitea!"
	                reverse_proxy http://docker-central.esco.ghaar:8080
	        }
}

# testing wildcard sub-domains. The plan is to eventually move all subdomains of
# makkan.homes under here.
*.maru.makkan.homes {
	import log_file
	import no_external_access

	tls {
		dns porkbun {
			api_key {env.PORKBUN_API_KEY}
			api_secret_key {env.PORKBUN_API_SECRET_KEY}
		}
		propagation_delay 30s
		resolvers {env.CADDY_RESOLVERS_DNS_TLS}
	}

	@adguard host adguard.maru.makkan.homes
	        handle @adguard {
	                #respond "AdGuard!"
	                reverse_proxy http://adguard.esco.ghaar:8080
	        }
	handle {
		abort
	}
}

5. Links to relevant resources:

crt.sh | makkan.homes