Rejecting multi-level subdomains?

Help
1

1. Caddy version (caddy version):

2.2.1

2. How I run Caddy:

a. System environment:

Ubuntu 20

b. Command:

systemctl

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

*.mydomain.com:443 {
    reverse_proxy 127.0.0.1:4567 {
      header_up Host {http.reverse_proxy.upstream.hostport}
      header_up X-Real-IP {http.reverse-proxy.upstream.address}
      header_up X-Forwarded-Port {http.request.port}
      header_up X-Forwarded-Host {http.request.host}
    }

    tls me@mydomain.com {
      on_demand
    }

    log {
      output file /var/log/caddy/access.log
    }
}

3. The problem I’m having:

Caddy is working and reverse proxying the way I want it. However, I am seeing bots hit my server making requests for multi-level subdomains such as blog.store.something.mydomain.com. This is causing Caddy to provision certificates each time one of these requests hits my server, and I’m starting to hit LetsEncrypt rate limits :frowning:

Is it possible to somehow configure Caddy to reject anything other than single subdomains (i.e. blog.mydomain.com) or the root domain so that all these requests hit my wildcard cert?

Thanks.

2

This is explained in the docs:

You must configure an ask endpoint to avoid abuse.

At the top of your Caddyfile, add:

{
	on_demand_tls {
		ask <endpoint>
	}
}
3

Thank you :pray: