Rejecting multi-level subdomains?

1. Caddy version (caddy version):


2. How I run Caddy:

a. System environment:

Ubuntu 20

b. Command:


c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

* {
    reverse_proxy {
      header_up Host {http.reverse_proxy.upstream.hostport}
      header_up X-Real-IP {http.reverse-proxy.upstream.address}
      header_up X-Forwarded-Port {http.request.port}
      header_up X-Forwarded-Host {}

    tls {

    log {
      output file /var/log/caddy/access.log

3. The problem I’m having:

Caddy is working and reverse proxying the way I want it. However, I am seeing bots hit my server making requests for multi-level subdomains such as This is causing Caddy to provision certificates each time one of these requests hits my server, and I’m starting to hit LetsEncrypt rate limits :frowning:

Is it possible to somehow configure Caddy to reject anything other than single subdomains (i.e. or the root domain so that all these requests hit my wildcard cert?


This is explained in the docs:

You must configure an ask endpoint to avoid abuse.

At the top of your Caddyfile, add:

	on_demand_tls {
		ask <endpoint>

Thank you :pray:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.