The issue described involves managing wildcard DNS with a reverse proxy, where services are hosted behind it and each service gets its own subdomain. The use of a wildcard in DNS allows any subdomain to point to the reverse proxy; however, this setup leads to SSL errors when accessing unknown hostnames that the proxy does not recognize. Specifically, if you try to access abcde.example.com and it is not configured within your proxy settings, the server returns an error indicating that the certificate for that name is invalid or non-existent. This problem affects both NPM (which responds with a 444 status code on unknown hosts) and Pangolin (where Traefik serves a self-signed certificate). The challenge here lies in configuring the reverse proxy to avoid serving content for unconfigured hostnames without listing every possible hostname explicitly in DNS, which is impractical. This scenario highlights the need for proper configuration of reverse proxies to handle wildcard subdomains securely and efficiently.
- Nginx Plus Manager (NPM)
- Pangolin with Traefik
- Configure NPM to respond with a custom error page for unknown hosts by modifying the configuration file located at /etc/nginx/conf.d/default.conf. Example command: `nano /etc/nginx/conf.d/default.conf`
- In Pangolin, adjust Traefik settings to avoid serving self-signed certificates for unconfigured hostnames. Edit the Traefik configuration file at /etc/traefik/traefik.yml and set the entry point to redirect or return a 404 status code instead of a certificate.
- Ensure both NPM and Pangolin are updated to their latest stable versions by running `sudo apt update && sudo apt upgrade` for Ubuntu systems, or use the appropriate package manager commands for other distributions.
This issue impacts common homelab stacks using reverse proxies like Nginx with wildcard DNS. Specifically, `/etc/nginx/conf.d/default.conf` and `/etc/traefik/traefik.yml` are critical files that require adjustment to manage SSL errors for unknown subdomains.