WildCard Domain & SSL Support


I am providing domain hosting support for my SAAS (Software as a service) app, where I am allowing anyone to point their domain to my server with support of CNAME like -

Someone has sub-domain in our SAAS = “abc.example.com”, then they can point their domain “elephant.com” via creating CNAME record and pointing to “abc.example.com

It works fine without using CADDY, but since, I am using CADDY as a reverse proxy for my app. I am looking for a solution to be able to host and point domain like mentioned above.

My app is something like “shopify, teachable, w3clan”, where a user can use their own domain for their site.

Any help would be appreciated!


Hi @rebootcode,

You can configure Caddy to provide Automatic HTTPS on a domain-by-domain basis with On-Demand TLS.

I have already done that, but that is for sub-domain.

I am looking for fullly qualified wild card domain something like –

* {
proxy / localhost:4000

Where “*” represents any domain pointed to my server including my IP address.

If I open my IP - http(s):// I want it to render default site I am running “example.com

This way, if any one uses my IP in their DNS, they can host their own DOMAIN on my SAAS.

Just like how shopify, teachable, w3clan like site works.

If SSL is not supported for wild card fully qualified domain name, how can I disable https for external URL. How can I disable SSL for wild card domain?

Whenever, I create CNAME for extenal domain and point it to my server, I get error as -

404 Site AnotherDomain.com is not served on this interface

On-Demand TLS is not only for subdomains. It works for any domain. For example:

http://, https:// {
  redir {
    if {scheme} is HTTP
    / https://{host}{uri}
  proxy / http://backend {
  tls {
    max_certs 10

The above Caddyfile will handle any request for any site not handled by a more specific site definition in your Caddyfile (kind of like a default or catch-all vhost). It will (as long as the DNS correctly points to your Caddy) requisition a certificate from LetsEncrypt for the requested domain mid-connection and use the new certificate to satisfy the TLS requirements. Any request handled this way will be proxied to your backend, and any insecure requests will be upgraded to HTTPS, just like regular Automatic HTTPS.

“Wildcard” in the context of TLS is universally understood to refer to a wildcard certificate, which should only ever be valid at a subdomain level. No public issuer would ever sign a wildcard for *, so you have to retrieve domain-validated certificates on a request-by-request basis - hence, On-Demand TLS. is operated by Cloudflare nowadays.

Also - LetsEncrypt does not issue certificates for IP addresses, only for publicly accessible domain names. Even through a traditional SSL issuer, you will likely find it difficult to arrange a HTTPS certificate for an IP address - they’re not very common at all.

SSL is supported in the manner you outline, but if you do want to disable SSL for your catch-all site definition, just use a catch-all site label that doesn’t include HTTPS.

http:// {
  proxy / http://backend

This will happen when Caddy has not been configured with the catch-all site label properly. If my above examples aren’t enough to get you up and running, feel free to post your Caddyfile and we can try to find out why this is the case.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.