Rejecting multi-level subdomains?

pagec · February 12, 2021, 11:20pm

1. Caddy version (`caddy version`):

2.2.1

2. How I run Caddy:

a. System environment:

Ubuntu 20

b. Command:

systemctl

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

*.mydomain.com:443 {
    reverse_proxy 127.0.0.1:4567 {
      header_up Host {http.reverse_proxy.upstream.hostport}
      header_up X-Real-IP {http.reverse-proxy.upstream.address}
      header_up X-Forwarded-Port {http.request.port}
      header_up X-Forwarded-Host {http.request.host}
    }

    tls me@mydomain.com {
      on_demand
    }

    log {
      output file /var/log/caddy/access.log
    }
}

3. The problem I’m having:

Caddy is working and reverse proxying the way I want it. However, I am seeing bots hit my server making requests for multi-level subdomains such as blog.store.something.mydomain.com. This is causing Caddy to provision certificates each time one of these requests hits my server, and I’m starting to hit LetsEncrypt rate limits

Is it possible to somehow configure Caddy to reject anything other than single subdomains (i.e. blog.mydomain.com) or the root domain so that all these requests hit my wildcard cert?

Thanks.

francislavoie · February 13, 2021, 12:45am

This is explained in the docs:

You must configure an ask endpoint to avoid abuse.

At the top of your Caddyfile, add:

{
	on_demand_tls {
		ask <endpoint>
	}
}

pagec · February 13, 2021, 11:39am

Thank you

system · March 14, 2021, 11:21pm

This topic was automatically closed after 30 days. New replies are no longer allowed.