caddyserver
`auto_https prefer_wildcard` does not work for alternate ports
The following setup would from the surface result in never exposing the concrete subdomains, always using a wildcard domain.
{
auto_https prefer_wildcard
}
*.foo.bar {
respond "Hello"
}
hey.foo.bar {
respond "Hey"
}
hey.foo.bar:3000 {
respond "Hey on different port"
}
But as the server listening on 3000 is a different server, it doesn't have a *.foo.bar entry by default, resulting in hey.foo.bar being exposed on the cert ledger.
I hit a similar issue originally when testing prefer_wildcard with a simple
{
auto_https prefer_wildcard
}
hey.foo.bar {
respond "Hey"
}
As I had not defined a wildcard cert block explicitly. I assumed that was implicitly taken care of by prefer_wildcard.
Please add a flag or somehow let us ensure/force wildcard certs are always used, so that we're not shooting ourselves in the foot 😄
I really think prefer_wildcard should be the default behavior and should span the entire app config.
@francislavoie I know you are concerned about breaking changes -- I appreciate the caution regarding that -- but I think we have a bigger, more annoying footgun right now. If I understand our previous conversations correctly, the main concern is that it would be surprising how Caddy changes the way it manages certificates. (Moreso than making prefer_wildcard the default.) Caddy would manage fewer certificates for people affected by this. I think prefer_wildcard was a step in the right direction -- and upon reflection I feel like my hesitations with it were its complexity due to it not being the global default.
We should and will still have a way to override the wildcard dominance, but I think a lot will be simpler/easier/less surprising with it being the default.
I can work on this, if that's alright?
