Redirect non www to www with manual wildcard block

Help
1

1. Caddy version (caddy version):

2.4.3

2. How I run Caddy:

We use automatic https and on demand tls to create certificates for white label domains that have their dns pointed at our application. We use a purchased wildcard certificate to handle tls for our main application domain + subdomains. I would like to re-direct non-www traffic to our main domain to www. White Label domains and subdomains do not require non-www to www redirects.

a. System environment:

AWS amazon linux 2

b. Command:

caddy config reload --config /etc/caddy/Caddyfile

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

{
  email servers@flipcause.com
  on_demand_tls {
    ask http://internal-flipcause-Staging-LB-1266596132.us-east-1.elb.amazonaws.com/caddy-endpoint/index.php
    interval 2m
    burst    5
  }
}

https://staging-flipcause.com {
  tls /etc/staging-flipcause.com/ssl/staging-flipcause.com.pem /etc/staging-flipcause.com/ssl/staging-flipcause.com.key
  redir https://www.staging-flipcause.com{uri} 307
}

*.staging-flipcause.com {
    tls /etc/staging-flipcause.com/ssl/staging-flipcause.com.pem /etc/staging-flipcause.com/ssl/staging-flipcause.com.key

    log {
      output file    /var/log/caddy/access.log
    }

    reverse_proxy http://internal-flipcause-Staging-LB-1266596132.us-east-1.elb.amazonaws.com {
      header_up Host {http.reverse_proxy.upstream.hostport}
      header_up User-Custom-Domain {host}
      health_timeout 5s    
    }
}

*.flipca.us {
    tls /etc/whitelabel/flipca.us.pem /etc/whitelabel/flipca.us.key

    log {
      output file /var/log/caddy/access.log
    }

    reverse_proxy http://internal-flipcause-Staging-LB-1266596132.us-east-1.elb.amazonaws.com {
      header_up Host {http.reverse_proxy.upstream.hostport}
      header_up User-Custom-Domain {host}
      health_timeout 5s    
    }
}

:80 {
  respond /health 200
}

:443 {
  tls {
    on_demand
  }

  log {
    output file         /var/log/caddy/access.log
  }

  reverse_proxy http://internal-flipcause-Staging-LB-1266596132.us-east-1.elb.amazonaws.com {
    header_up Host {http.reverse_proxy.upstream.hostport}
    header_up User-Custom-Domain {host}
    health_timeout 5s
  }
}

3. The problem I’m having:

I am trying to correctly redirect requests to staging-flipcause.com to www.staging-flipcause.com in the context of an accompanying wildcard block.

4. Error messages and/or full log output:

I am seeing 307 redirects even when I directly hit www.staging-flipcause.com urls, which makes me think I may not have the syntax of my redirect correct in my Caddyfile.

5. What I already tried:

I think all my efforts are there in the Caddyfile. I also tried creating a

@foo host staging-flipcause.com
	handle @foo {
		redir www.staging-flipcause.com
	}

block nested in the *.staging-flipcause.com block, but received too many redirect errors.

6. Links to relevant resources:

If you visit https://www.staging-flipcause.com you will see that a 307 redirect is showing on some of the network calls which confuses me since I would think that www.staging-flipcause.com requests would hit the *.staging-flipcause.com block directly.

Thanks for any help!

2

If you don’t specify a scheme for the URL, then Caddy assumes you only want to redirect to a different path, so it ends up redirecting to https://staging-flipcause.com/www.staging-flipcause.com, which again tries to redirect, in a loop.

What you want is this:

@not-www host staging-flipcause.com
redir @not-www https://www.staging-flipcause.com{uri}

Use curl -v to check what headers Caddy is returning, when testing redirects. Look at what the Location header contains. You can use the -L flag to tell curl to follow redirects (i.e. L for the Location header)

1 Like
3

Thanks a lot for your answer! I am curious, is it expected that the wildcard block be catching the requests to https://staging-flipcause.com? When I add the block you specified to the wildcard block, redirects to www for https://staging-flipcause.com do not occur (but certificates are obtained for it) . When I create a separate block for https://staging-flipcause.com (commented out in the example below), everything is working as expected.

#https://staging-flipcause.com {
 # tls /etc/staging-flipcause.com/ssl/staging-flipcause.com.pem /etc/staging-flipcause.com/ssl/staging-flipcause.com.key
 # redir https://www.staging-flipcause.com{uri} 307
#}

*.staging-flipcause.com {
    tls /etc/staging-flipcause.com/ssl/staging-flipcause.com.pem /etc/staging-flipcause.com/ssl/staging-flipcause.com.key

    @not-www host staging-flipcause.com
    redir @not-www https://www.staging-flipcause.com{uri}

    log {
      output file    /var/log/caddy/access.log
    }

    reverse_proxy http://internal-flipcause-Staging-LB-1266596132.us-east-1.elb.amazonaws.com {
      header_up Host {http.reverse_proxy.upstream.hostport}
      header_up User-Custom-Domain {host}
      health_timeout 5s
    }
}
4

No. *.staging-flipcause.com doesn’t match staging-flipcause.com.

You can make your site block like this to match both:

*.staging-flipcause.com, staging-flipcause.com {
	...
}

Or just make a site block like this to do the redirect:

staging-flipcause.com, http://staging-flipcause.com {
	redir https://www.staging-flipcause.com{uri}
}

Adding http://staging-flipcause.com to the site block avoids the extra roundtrip from doing a redirect from http://staging-flipcause.com to https://staging-flipcause.com, then to https://www.staging-flipcause.com, instead doing it in one step rather than two.

If you’re using your own certificate, make sure the subject in the certificate has both staging-flipcause.com and *.staging-flipcause.com… or just let Caddy issue a certificate from Let’s Encrypt or ZeroSSL automatically if your certificate doesn’t have that subject name in it.

2 Likes
5

This topic was automatically closed after 30 days. New replies are no longer allowed.