Caddy, Wildcard Certs and Ghost

The Problem

Hosting multiple applications on subdomains requires a strategy for SSL certificates. The specific example involves deploying Ghost blogging software to blog.geoffcorey.com while redirecting the root domain to this subdomain. The setup uses wildcard Let’s Encrypt certificates to avoid generating separate certificates for each subdomain.

Cloudflare API Token

DNS configuration requires Cloudflare. The CaddyBuilds/caddy-cloudflare Docker image provides DNS challenge support for obtaining wildcard certificates.

Setup: Docker Compose & Caddy Configuration

docker-compose.yml

The configuration includes three services:

Caddy (ghcr.io/caddybuilds/caddy-cloudflare:latest) - reverse proxy with DNS challenge support
Ghost (ghost:latest) - blogging platform
MariaDB - database backend

All services use environment variables from .env and connect via internal Docker networks.

.env File

Contains sensitive configuration:

Cloudflare API token
Ghost database credentials
Database host and root password

Caddyfile

Defines routing rules:

Root domain redirects to subdomain
Wildcard certificate covers all *.geoffcorey.com domains
Ghost reverse proxy handles requests to blog.geoffcorey.com:2368

Results

Users access https://geoffcorey.com and are automatically redirected to https://blog.geoffcorey.com. Additional applications (Immich, Jellyfin) can be added with new subdomain entries in the wildcard configuration.

The Problem#

Cloudflare API Token#

Setup: Docker Compose & Caddy Configuration#

docker-compose.yml#

.env File#

Caddyfile#

Results#