Add wildcard domain support with DNS-01 ACME challenge flow

Support wildcard domains (*.domain.tld) in HAProxy config generation with exact-match ACLs prioritized over wildcard ACLs. Add DNS-01 challenge endpoints that coordinate with certbot via auth/cleanup hook scripts for wildcard SSL certificate issuance. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-19 13:04:32 -08:00
parent 6cd64295d2
commit 91c92dd07e
6 changed files with 272 additions and 25 deletions
--- a/templates/hap_backend.tpl
+++ b/templates/hap_backend.tpl
@@ -7,7 +7,8 @@ backend {{ name }}-backend
    http-request add-header X-CLIENT-IP %[var(txn.real_ip)]
    http-request set-header X-Real-IP %[var(txn.real_ip)]
    http-request set-header X-Forwarded-For %[var(txn.real_ip)]
-    {% if ssl_enabled %}http-request set-header X-Forwarded-Proto https if { ssl_fc }{% endif %}
+    http-request set-header X-Forwarded-Proto https if { ssl_fc }
+    http-request set-header X-Forwarded-Proto http if !{ ssl_fc }

    {% for server in servers %}
    server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
@@ -31,7 +32,8 @@ backend {{ name }}-sse-backend
    http-request add-header X-CLIENT-IP %[var(txn.real_ip)]
    http-request set-header X-Real-IP %[var(txn.real_ip)]
    http-request set-header X-Forwarded-For %[var(txn.real_ip)]
-    {% if ssl_enabled %}http-request set-header X-Forwarded-Proto https if { ssl_fc }{% endif %}
+    http-request set-header X-Forwarded-Proto https if { ssl_fc }
+    http-request set-header X-Forwarded-Proto http if !{ ssl_fc }

    {% for server in servers %}
    server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
--- a/templates/hap_wildcard_acl.tpl
+++ b/templates/hap_wildcard_acl.tpl
@@ -0,0 +1,4 @@
+
+    #Wildcard method {{ domain }}
+    acl {{ name }}-acl hdr_end(host) -i .{{ base_domain }}
+    use_backend {{ name }}-backend if {{ name }}-acl