1. The problem I’m having:
Hello everyone,
I am trying to match certain names to several internal domains. For example:
- test.domain1.lan, test.domain2.lan, test.domain3.lan, test.domain4.lan , … → goto reverseproxy1
- foo.domain1.lan, foo.domain2.lan, foo.domain3.lan, foo.domain4.lan, … → goto reverseproxy2
- bar.domain1.lan, bar.domain2.lan, bar.domain3.lan, bar.domain4.lan, … → goto reverseproxy3
I tried a wildcard matcher like this in the caddyfile, but it does not work unfortunately:
test.* {
tls internal
reverse_proxy http://censored:1234
}
foo.* {
tls internal
reverse_proxy http://censored:1235
}
bar.* {
tls internal
reverse_proxy http://censored:1236
}
2. Error messages and/or full log output:
Logs say there is no certificate …
{"level":"debug","ts":1707185587.665784,"logger":"events","msg":"event","name":"tls_get_certificate","id":"0017cedd-6ebd-45dd-becc-cb4ca8220a82","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"ServerName":"test.server.domain1.lan","SupportedCurves":[29,23,24,25,256,257],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,1025,1281,1537,515,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"192.168.1.101","Port":63019,"Zone":""},"LocalAddr":{"IP":"172.17.0.22","Port":443,"Zone":""}}}}
{"level":"debug","ts":1707185587.6659157,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"test.server.domain1.lan"}
{"level":"debug","ts":1707185587.6659262,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.server.domain1.lan"}
{"level":"debug","ts":1707185587.6659327,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.domain1.lan"}
{"level":"debug","ts":1707185587.6659381,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.lan"}
{"level":"debug","ts":1707185587.6659439,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
{"level":"debug","ts":1707185587.6659596,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.1.101","remote_port":"63019","server_name":"test.server.domain1.lan","remote":"192.168.1.101:63019","identifier":"test.server.domain1.lan","cipher_suites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"cert_cache_fill":0,"load_or_obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1707185587.6661525,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.1.101:63019: no certificate available for 'test.server.domain1.lan'"}
… but i used tls internal
… and it does work, when i use the full qualifier in the caddyfile like so:
test1.server.domain1.lan {
tls internal
reverse_proxy http://censored:1234
}
3. Caddy version:
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
4. How I installed and ran Caddy:
a. System environment:
Linux SERVER 6.1.38-Unraid
b. Command:
I run caddy as docker. Repository: caddy:alpine
c. Service/unit/compose file:
//
d. My complete Caddy config:
// see above
5. Something else?
I know i could do something like this …
test1.server.domain1.lan, test1.server.domain2.lan, test1.server.domain3.lan, test1.server.domain4.lan, test1.server.domain5.lan {
tls internal
reverse_proxy http://censored:1234
}
foo.server.domain1.lan, foo.server.domain2.lan, foo.server.domain3.lan, foo.server.domain4.lan, foo.server.domain5.lan {
tls internal
reverse_proxy http://censored:1235
}
bar.server.domain1.lan, bar.server.domain2.lan, bar.server.domain3.lan, bar.server.domain4.lan, bar.server.domain5.lan {
tls internal
reverse_proxy http://censored:1236
}
… but this gets cumbersome. There has to be a more generic way of doing that, right? I want to match several “subnames” to several “domains”, but every “subname” is resolving to the same reverseproxy. I hope it is clear what i mean.
Hope someone can help. Best regards.