vite-plugin-caddy-multiple-tls 1.5.1 → 1.6.1

package/README.md

@@ -92,6 +92,26 @@ export default config;
 
 You can override auto-detection with `repo` or `branch` if needed.
 
+If you run different projects that derive the same `<repo>.<branch>` host, add `instanceLabel` to keep domains unique:
+
+```js
+// vite.config.js
+import { defineConfig } from 'vite';
+import caddyTls from 'vite-plugin-caddy-multiple-tls';
+
+const config = defineConfig({
+  plugins: [
+    caddyTls({
+      instanceLabel: 'web-1',
+    })
+  ]
+});
+
+export default config;
+```
+
+This derives a host like `<repo>.<branch>.web-1.localhost`.
+
 For a zero-config experience, use `baseDomain: 'localhost'` (the default) so the derived domain works without editing `/etc/hosts`.
 
 `internalTls` defaults to `true` when you pass `baseDomain` or `domain`. You can override it if needed.
@@ -116,6 +136,40 @@ const config = defineConfig({
 export default config;
 ```
 
+If your Caddy Admin API enforces a specific allowed origin that differs from `caddyApiUrl`, set `caddyAdminOrigin`.
+
+```js
+// vite.config.js
+import { defineConfig } from 'vite';
+import caddyTls from 'vite-plugin-caddy-multiple-tls';
+
+const config = defineConfig({
+  plugins: [
+    caddyTls({
+      caddyApiUrl: 'http://127.0.0.1:2019',
+      caddyAdminOrigin: 'http://localhost:2019',
+    })
+  ]
+});
+
+export default config;
+```
+
+## Troubleshooting
+
+### `client is not allowed to access from origin ''`
+
+This error comes from Caddy Admin API origin enforcement, not from Caddy being down.
+
+- Check `caddyApiUrl` points to the correct Admin API endpoint.
+- If Admin API expects a different origin than the API URL host, set `caddyAdminOrigin`.
+- Verify behavior directly:
+
+```bash
+curl -i http://127.0.0.1:2019/config/
+curl -i -H 'Origin: http://127.0.0.1:2019' http://127.0.0.1:2019/config/
+```
+
 > [!IMPORTANT]  
 > **Hosts file limitation:** If you use a custom domain, you must **manually** add each generated subdomain to your `/etc/hosts` file (e.g., `127.0.0.1 repo.branch.local.example.test`). System hosts files **do not support wildcards** (e.g., `*.local.example.test`), so you lose the benefit of automatic domain resolution that `localhost` provides.
 

package/dist/index.d.ts

@@ -11,11 +11,15 @@ interface ViteCaddyTlsPluginOptions {
     repo?: string;
     /** Override branch name used in derived domains */
     branch?: string;
+    /** Extra unique label appended after branch in derived domains */
+    instanceLabel?: string;
     cors?: string;
     /** Override the default Caddy server name (srv0) */
     serverName?: string;
     /** Override the Caddy Admin API base URL (default: http://localhost:2019) */
     caddyApiUrl?: string;
+    /** Override the Origin header used for Caddy Admin API requests (defaults to caddyApiUrl origin) */
+    caddyAdminOrigin?: string;
     /** Use Caddy's internal CA for the provided domains (defaults to true when baseDomain or domain is set) */
     internalTls?: boolean;
     /**
@@ -37,6 +41,6 @@ type LoopbackDomain = 'localtest.me' | 'lvh.me' | 'nip.io';
  * ```
  * @returns {Plugin} - a Vite plugin
  */
-declare function viteCaddyTlsPlugin({ domain, baseDomain, loopbackDomain, repo, branch, cors, serverName, caddyApiUrl, internalTls, upstreamHostHeader, }?: ViteCaddyTlsPluginOptions): PluginOption;
+declare function viteCaddyTlsPlugin({ domain, baseDomain, loopbackDomain, repo, branch, instanceLabel, cors, serverName, caddyApiUrl, caddyAdminOrigin, internalTls, upstreamHostHeader, }?: ViteCaddyTlsPluginOptions): PluginOption;
 
 export { type ViteCaddyTlsPluginOptions, viteCaddyTlsPlugin as default };

package/dist/index.js

@@ -1,18 +1,28 @@
 // src/index.ts
 import { execSync as execSync2 } from "child_process";
-import path from "path";
+import { createHash as createHash2 } from "crypto";
+import path2 from "path";
 
 // src/utils.ts
 import { execSync } from "child_process";
+import { createHash } from "crypto";
+import { open, unlink } from "fs/promises";
+import os from "os";
+import path from "path";
 var DEFAULT_SERVER_NAME = "srv0";
 var DEFAULT_CADDY_API_URL = "http://localhost:2019";
-var caddyApiUrl = DEFAULT_CADDY_API_URL;
-function setCaddyApiUrl(url) {
-  caddyApiUrl = url;
-}
-function getCaddyApiUrl() {
-  return caddyApiUrl;
-}
+var CADDY_ADMIN_ORIGIN_POLICY_ERROR_MESSAGE = "Caddy Admin API rejected request due to origin policy. Check caddyApiUrl and admin origin settings.";
+var CONNECTIVITY_ERROR_CODES = /* @__PURE__ */ new Set([
+  "ECONNREFUSED",
+  "ECONNRESET",
+  "EHOSTUNREACH",
+  "ENETUNREACH",
+  "ENOTFOUND",
+  "ETIMEDOUT",
+  "UND_ERR_CONNECT_TIMEOUT",
+  "UND_ERR_HEADERS_TIMEOUT",
+  "UND_ERR_SOCKET"
+]);
 function isRecord(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
@@ -27,6 +37,126 @@ function parseConfig(text) {
 function isTlsPolicyOverlapError(text) {
   return text.includes("cannot apply more than one automation policy to host");
 }
+function getApiUrl(apiUrl) {
+  return apiUrl ?? DEFAULT_CADDY_API_URL;
+}
+function toError(error) {
+  if (error instanceof Error) return error;
+  return new Error(String(error));
+}
+function isOriginPolicyError(status, text) {
+  if (status !== 403) return false;
+  const normalizedText = text.toLowerCase();
+  return normalizedText.includes("origin") && normalizedText.includes("not allowed");
+}
+function buildCaddyRequestError(message, status, text) {
+  if (isOriginPolicyError(status, text)) {
+    return new Error(CADDY_ADMIN_ORIGIN_POLICY_ERROR_MESSAGE);
+  }
+  const normalizedText = text.trim();
+  if (!normalizedText) {
+    return new Error(`${message}: HTTP ${status}`);
+  }
+  return new Error(`${message}: ${normalizedText}`);
+}
+function getErrorCode(error) {
+  if (!error || typeof error !== "object") return void 0;
+  if ("code" in error && typeof error.code === "string") {
+    return error.code;
+  }
+  if ("cause" in error) {
+    const cause = error.cause;
+    if (cause && typeof cause === "object") {
+      if ("code" in cause && typeof cause.code === "string") {
+        return cause.code;
+      }
+    }
+  }
+  return void 0;
+}
+function isConnectivityError(error) {
+  const code = getErrorCode(error);
+  return Boolean(code) && CONNECTIVITY_ERROR_CODES.has(code);
+}
+function getAdminOrigin(apiUrl, adminOrigin) {
+  const originSource = adminOrigin ?? getApiUrl(apiUrl);
+  try {
+    return new URL(originSource).origin;
+  } catch (e) {
+    return new URL(getApiUrl(apiUrl)).origin;
+  }
+}
+async function caddyFetch(input, init, apiUrl, adminOrigin) {
+  const headers = new Headers(init?.headers);
+  headers.set("Origin", getAdminOrigin(apiUrl, adminOrigin));
+  return fetch(input, {
+    ...init,
+    headers
+  });
+}
+async function checkCaddyAdminStatus(apiUrl, adminOrigin) {
+  try {
+    const res = await caddyFetch(`${getApiUrl(apiUrl)}/config/`, void 0, apiUrl, adminOrigin);
+    if (res.ok) {
+      return { status: "running" };
+    }
+    const text = await res.text();
+    return {
+      status: "api-error",
+      error: buildCaddyRequestError("Failed to read Caddy config", res.status, text)
+    };
+  } catch (e) {
+    const error = toError(e);
+    if (isConnectivityError(error)) {
+      return {
+        status: "connectivity-error",
+        error
+      };
+    }
+    return {
+      status: "api-error",
+      error
+    };
+  }
+}
+async function assertCaddyResponse(res, message) {
+  if (res.ok) return;
+  const text = await res.text();
+  throw buildCaddyRequestError(message, res.status, text);
+}
+function getLockPath(apiUrl) {
+  const key = createHash("sha1").update(getApiUrl(apiUrl)).digest("hex").slice(0, 12);
+  return path.join(os.tmpdir(), `vite-plugin-caddy-multiple-tls-${key}.lock`);
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function withApiLock(apiUrl, fn) {
+  const lockPath = getLockPath(apiUrl);
+  const startedAt = Date.now();
+  const timeoutMs = 5e3;
+  while (true) {
+    try {
+      const handle = await open(lockPath, "wx");
+      try {
+        await fn();
+      } finally {
+        await handle.close();
+        await unlink(lockPath).catch(() => void 0);
+      }
+      return;
+    } catch (e) {
+      if (e.code !== "EEXIST") {
+        throw e;
+      }
+      if (Date.now() - startedAt >= timeoutMs) {
+        await fn();
+        return;
+      }
+      await sleep(50);
+    }
+  }
+}
 function validateCaddyIsInstalled() {
   try {
     execSync("caddy version");
@@ -36,31 +166,36 @@ function validateCaddyIsInstalled() {
     return false;
   }
 }
-async function isCaddyRunning() {
+async function startCaddy(apiUrl, adminOrigin) {
   try {
-    const res = await fetch(`${caddyApiUrl}/config/`);
-    return res.ok;
+    execSync("caddy start", { stdio: "ignore" });
   } catch (e) {
-    return false;
   }
-}
-async function startCaddy() {
-  try {
-    execSync("caddy start", { stdio: "ignore" });
-    for (let i = 0; i < 10; i++) {
-      if (await isCaddyRunning()) return true;
-      await new Promise((r) => setTimeout(r, 500));
+  for (let i = 0; i < 10; i++) {
+    const status = await checkCaddyAdminStatus(apiUrl, adminOrigin);
+    if (status.status === "running") return true;
+    if (status.status === "api-error") {
+      throw status.error;
     }
-    return false;
-  } catch (e) {
-    console.error("Failed to start Caddy:", e);
-    return false;
+    await sleep(500);
   }
+  return false;
 }
-async function ensureBaseConfig(serverName = DEFAULT_SERVER_NAME) {
-  const serverUrl = `${caddyApiUrl}/config/apps/http/servers/${serverName}`;
-  const res = await fetch(serverUrl);
+async function ensureBaseConfig(serverName = DEFAULT_SERVER_NAME, apiUrl, adminOrigin) {
+  const resolvedApiUrl = getApiUrl(apiUrl);
+  const serverUrl = `${resolvedApiUrl}/config/apps/http/servers/${serverName}`;
+  const res = await caddyFetch(serverUrl, void 0, apiUrl, adminOrigin);
   if (res.ok) return;
+  if (res.status === 403) {
+    const text = await res.text();
+    if (isOriginPolicyError(res.status, text)) {
+      throw buildCaddyRequestError(
+        "Failed to initialize Caddy base configuration",
+        res.status,
+        text
+      );
+    }
+  }
   const baseConfig = {
     listen: [":443"],
     routes: []
@@ -70,11 +205,13 @@ async function ensureBaseConfig(serverName = DEFAULT_SERVER_NAME) {
       [serverName]: baseConfig
     }
   };
-  const configRes = await fetch(`${caddyApiUrl}/config/`);
-  if (!configRes.ok) {
-    const text = await configRes.text();
-    throw new Error(`Failed to read Caddy config: ${text}`);
-  }
+  const configRes = await caddyFetch(
+    `${resolvedApiUrl}/config/`,
+    void 0,
+    apiUrl,
+    adminOrigin
+  );
+  await assertCaddyResponse(configRes, "Failed to read Caddy config");
   const configText = await configRes.text();
   const config = parseConfig(configText);
   if (config === void 0) {
@@ -82,18 +219,27 @@ async function ensureBaseConfig(serverName = DEFAULT_SERVER_NAME) {
   }
   const isEmptyConfig = configText.trim() === "" || config === null || isRecord(config) && Object.keys(config).length === 0;
   if (isEmptyConfig) {
-    const loadRes = await fetch(`${caddyApiUrl}/load`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({
-        apps: {
-          http: httpAppConfig
-        }
-      })
-    });
+    const loadRes = await caddyFetch(
+      `${resolvedApiUrl}/load`,
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          apps: {
+            http: httpAppConfig
+          }
+        })
+      },
+      apiUrl,
+      adminOrigin
+    );
     if (!loadRes.ok) {
       const text = await loadRes.text();
-      throw new Error(`Failed to initialize Caddy base configuration: ${text}`);
+      throw buildCaddyRequestError(
+        "Failed to initialize Caddy base configuration",
+        loadRes.status,
+        text
+      );
     }
     return;
   }
@@ -104,81 +250,136 @@ async function ensureBaseConfig(serverName = DEFAULT_SERVER_NAME) {
   let hasHttp = isRecord(http);
   let hasServers = isRecord(servers);
   if (!hasApps) {
-    const createAppsRes = await fetch(`${caddyApiUrl}/config/apps`, {
-      method: "PUT",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({})
-    });
+    const createAppsRes = await caddyFetch(
+      `${resolvedApiUrl}/config/apps`,
+      {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({})
+      },
+      apiUrl,
+      adminOrigin
+    );
     if (!createAppsRes.ok && createAppsRes.status !== 409) {
       const text = await createAppsRes.text();
-      throw new Error(`Failed to initialize Caddy base configuration: ${text}`);
+      throw buildCaddyRequestError(
+        "Failed to initialize Caddy base configuration",
+        createAppsRes.status,
+        text
+      );
     }
     hasApps = true;
   }
   if (!hasHttp) {
-    const createHttpRes = await fetch(`${caddyApiUrl}/config/apps/http`, {
-      method: "PUT",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ servers: {} })
-    });
+    const createHttpRes = await caddyFetch(
+      `${resolvedApiUrl}/config/apps/http`,
+      {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ servers: {} })
+      },
+      apiUrl,
+      adminOrigin
+    );
     if (!createHttpRes.ok && createHttpRes.status !== 409) {
       const text = await createHttpRes.text();
-      throw new Error(`Failed to initialize Caddy base configuration: ${text}`);
+      throw buildCaddyRequestError(
+        "Failed to initialize Caddy base configuration",
+        createHttpRes.status,
+        text
+      );
     }
     hasHttp = true;
     hasServers = true;
   }
   if (!hasServers) {
-    const createServersRes = await fetch(`${caddyApiUrl}/config/apps/http/servers`, {
-      method: "PUT",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({})
-    });
+    const createServersRes = await caddyFetch(
+      `${resolvedApiUrl}/config/apps/http/servers`,
+      {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({})
+      },
+      apiUrl,
+      adminOrigin
+    );
     if (!createServersRes.ok && createServersRes.status !== 409) {
       const text = await createServersRes.text();
-      throw new Error(`Failed to initialize Caddy base configuration: ${text}`);
+      throw buildCaddyRequestError(
+        "Failed to initialize Caddy base configuration",
+        createServersRes.status,
+        text
+      );
     }
   }
-  const createServerRes = await fetch(serverUrl, {
-    method: "PUT",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify(baseConfig)
-  });
+  const createServerRes = await caddyFetch(
+    serverUrl,
+    {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(baseConfig)
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (!createServerRes.ok && createServerRes.status !== 409) {
     const text = await createServerRes.text();
-    throw new Error(`Failed to initialize Caddy base configuration: ${text}`);
+    throw buildCaddyRequestError(
+      "Failed to initialize Caddy base configuration",
+      createServerRes.status,
+      text
+    );
   }
 }
-async function ensureTlsAutomation() {
-  const policiesUrl = `${caddyApiUrl}/config/apps/tls/automation/policies`;
-  const policiesRes = await fetch(policiesUrl);
+async function ensureTlsAutomation(apiUrl, adminOrigin) {
+  const resolvedApiUrl = getApiUrl(apiUrl);
+  const policiesUrl = `${resolvedApiUrl}/config/apps/tls/automation/policies`;
+  const policiesRes = await caddyFetch(policiesUrl, void 0, apiUrl, adminOrigin);
   if (policiesRes.ok) return;
   const policiesText = await policiesRes.text();
   if (policiesRes.status !== 404 && !policiesText.includes("invalid traversal path")) {
-    throw new Error(
-      `Failed to initialize Caddy TLS automation: ${policiesText}`
+    throw buildCaddyRequestError(
+      "Failed to initialize Caddy TLS automation",
+      policiesRes.status,
+      policiesText
     );
   }
-  const automationRes = await fetch(`${caddyApiUrl}/config/apps/tls/automation`, {
-    method: "PUT",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ policies: [] })
-  });
+  const automationRes = await caddyFetch(
+    `${resolvedApiUrl}/config/apps/tls/automation`,
+    {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ policies: [] })
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (automationRes.ok || automationRes.status === 409) return;
   const automationText = await automationRes.text();
   if (!automationText.includes("invalid traversal path")) {
-    throw new Error(
-      `Failed to initialize Caddy TLS automation: ${automationText}`
+    throw buildCaddyRequestError(
+      "Failed to initialize Caddy TLS automation",
+      automationRes.status,
+      automationText
     );
   }
-  const tlsRes = await fetch(`${caddyApiUrl}/config/apps/tls`, {
-    method: "PUT",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ automation: { policies: [] } })
-  });
+  const tlsRes = await caddyFetch(
+    `${resolvedApiUrl}/config/apps/tls`,
+    {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ automation: { policies: [] } })
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (!tlsRes.ok && tlsRes.status !== 409) {
     const text = await tlsRes.text();
-    throw new Error(`Failed to initialize Caddy TLS automation: ${text}`);
+    throw buildCaddyRequestError(
+      "Failed to initialize Caddy TLS automation",
+      tlsRes.status,
+      text
+    );
   }
 }
 function formatDialAddress(host, port) {
@@ -187,7 +388,50 @@ function formatDialAddress(host, port) {
   }
   return `${host}:${port}`;
 }
-async function addRoute(id, domains, port, cors, serverName = DEFAULT_SERVER_NAME, upstreamHost = "127.0.0.1", upstreamHostHeader) {
+function extractMatchedHosts(route) {
+  if (!isRecord(route)) return [];
+  const match = route.match;
+  if (!Array.isArray(match)) return [];
+  const hosts = [];
+  for (const item of match) {
+    if (!isRecord(item) || !Array.isArray(item.host)) continue;
+    for (const host of item.host) {
+      if (typeof host === "string") {
+        hosts.push(host);
+      }
+    }
+  }
+  return hosts;
+}
+function intersectsDomains(targetDomains, routeDomains) {
+  if (targetDomains.length === 0 || routeDomains.length === 0) return false;
+  const targetSet = new Set(targetDomains);
+  return routeDomains.some((domain) => targetSet.has(domain));
+}
+async function cleanupStaleRoutesForDomains(domains, currentRouteId, serverName = DEFAULT_SERVER_NAME, apiUrl, adminOrigin) {
+  if (domains.length === 0) return;
+  const res = await caddyFetch(
+    `${getApiUrl(apiUrl)}/config/apps/http/servers/${serverName}/routes`,
+    void 0,
+    apiUrl,
+    adminOrigin
+  );
+  if (!res.ok) return;
+  const text = await res.text();
+  const parsed = parseConfig(text);
+  if (!Array.isArray(parsed)) return;
+  for (const route of parsed) {
+    if (!isRecord(route)) continue;
+    const id = route["@id"];
+    if (typeof id !== "string") continue;
+    if (!id.startsWith("vite-proxy-")) continue;
+    if (id === currentRouteId) continue;
+    const routeDomains = extractMatchedHosts(route);
+    if (!intersectsDomains(domains, routeDomains)) continue;
+    await removeRoute(id, apiUrl, adminOrigin);
+  }
+}
+async function addRoute(id, domains, port, cors, serverName = DEFAULT_SERVER_NAME, upstreamHost = "127.0.0.1", upstreamHostHeader, apiUrl, adminOrigin) {
   const handlers = [];
   if (cors) {
     handlers.push({
@@ -237,22 +481,24 @@ async function addRoute(id, domains, port, cors, serverName = DEFAULT_SERVER_NAM
     ],
     terminal: true
   };
-  const res = await fetch(
-    `${caddyApiUrl}/config/apps/http/servers/${serverName}/routes`,
+  const res = await caddyFetch(
+    `${getApiUrl(apiUrl)}/config/apps/http/servers/${serverName}/routes`,
     {
       method: "POST",
       // Append to routes list
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify(route)
-    }
+    },
+    apiUrl,
+    adminOrigin
   );
   if (!res.ok) {
     const text = await res.text();
-    throw new Error(`Failed to add route: ${text}`);
+    throw buildCaddyRequestError("Failed to add route", res.status, text);
   }
 }
-async function addTlsPolicy(id, domains) {
-  await ensureTlsAutomation();
+async function addTlsPolicy(id, domains, apiUrl, adminOrigin) {
+  await ensureTlsAutomation(apiUrl, adminOrigin);
   const policy = {
     "@id": id,
     subjects: domains,
@@ -262,39 +508,78 @@ async function addTlsPolicy(id, domains) {
       }
     ]
   };
-  const res = await fetch(`${caddyApiUrl}/config/apps/tls/automation/policies`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify(policy)
-  });
+  const res = await caddyFetch(
+    `${getApiUrl(apiUrl)}/config/apps/tls/automation/policies`,
+    {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(policy)
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (!res.ok) {
     const text = await res.text();
     if (isTlsPolicyOverlapError(text)) {
       return;
     }
-    throw new Error(`Failed to add TLS policy: ${text}`);
+    throw buildCaddyRequestError("Failed to add TLS policy", res.status, text);
   }
 }
-async function removeRoute(id) {
-  const res = await fetch(`${caddyApiUrl}/id/${id}`, {
-    method: "DELETE"
-  });
+async function removeRoute(id, apiUrl, adminOrigin) {
+  const res = await caddyFetch(
+    `${getApiUrl(apiUrl)}/id/${id}`,
+    {
+      method: "DELETE"
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (!res.ok && res.status !== 404) {
-    console.error(`Failed to remove route ${id}`);
+    const text = await res.text();
+    const error = buildCaddyRequestError(`Failed to remove route ${id}`, res.status, text);
+    console.error(error.message);
     return false;
   }
   return true;
 }
-async function removeTlsPolicy(id) {
-  const res = await fetch(`${caddyApiUrl}/id/${id}`, {
-    method: "DELETE"
-  });
+async function removeTlsPolicy(id, apiUrl, adminOrigin) {
+  const res = await caddyFetch(
+    `${getApiUrl(apiUrl)}/id/${id}`,
+    {
+      method: "DELETE"
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (!res.ok && res.status !== 404) {
-    console.error(`Failed to remove TLS policy ${id}`);
+    const text = await res.text();
+    const error = buildCaddyRequestError(
+      `Failed to remove TLS policy ${id}`,
+      res.status,
+      text
+    );
+    console.error(error.message);
     return false;
   }
   return true;
 }
+async function ensureCaddyReady(serverName = DEFAULT_SERVER_NAME, apiUrl, adminOrigin) {
+  await withApiLock(apiUrl, async () => {
+    const status = await checkCaddyAdminStatus(apiUrl, adminOrigin);
+    if (status.status === "api-error") {
+      throw status.error;
+    }
+    let running = status.status === "running";
+    if (status.status === "connectivity-error") {
+      running = await startCaddy(apiUrl, adminOrigin);
+    }
+    if (!running) {
+      throw new Error("Failed to start Caddy server.");
+    }
+    await ensureBaseConfig(serverName, apiUrl, adminOrigin);
+  });
+}
 
 // src/index.ts
 var LOOPBACK_DOMAINS = {
@@ -310,7 +595,7 @@ function getGitRepoInfo() {
   try {
     const repoRoot = execGit("git rev-parse --show-toplevel");
     if (repoRoot) {
-      info.repo = path.basename(repoRoot);
+      info.repo = path2.basename(repoRoot);
     }
   } catch (e) {
   }
@@ -364,7 +649,13 @@ function buildDerivedDomain(options) {
   const repoLabel = sanitizeDomainLabel(repo);
   const branchLabel = sanitizeDomainLabel(branch);
   if (!repoLabel || !branchLabel) return null;
-  return `${repoLabel}.${branchLabel}.${baseDomain}`;
+  const labels = [repoLabel, branchLabel];
+  if (options.instanceLabel !== void 0) {
+    const instanceLabel = sanitizeDomainLabel(options.instanceLabel);
+    if (!instanceLabel) return null;
+    labels.push(instanceLabel);
+  }
+  return `${labels.join(".")}.${baseDomain}`;
 }
 function normalizeDomain(domain) {
   const trimmed = domain.trim().toLowerCase();
@@ -382,6 +673,15 @@ function normalizeCaddyApiUrl(url) {
   if (!trimmed) return null;
   return trimmed.replace(/\/+$/g, "");
 }
+function normalizeCaddyAdminOrigin(origin) {
+  const trimmed = origin.trim();
+  if (!trimmed) return null;
+  try {
+    return new URL(trimmed).origin;
+  } catch (e) {
+    return null;
+  }
+}
 function resolveDomains(options) {
   if (options.domain) {
     return normalizeDomains(options.domain);
@@ -396,22 +696,35 @@ function viteCaddyTlsPlugin({
   loopbackDomain,
   repo,
   branch,
+  instanceLabel,
   cors,
   serverName,
-  caddyApiUrl: caddyApiUrl2,
+  caddyApiUrl,
+  caddyAdminOrigin,
   internalTls,
   upstreamHostHeader
 } = {}) {
-  if (caddyApiUrl2 !== void 0) {
-    const normalizedApiUrl = normalizeCaddyApiUrl(caddyApiUrl2);
-    if (normalizedApiUrl) {
-      setCaddyApiUrl(normalizedApiUrl);
-    } else {
-      setCaddyApiUrl(DEFAULT_CADDY_API_URL);
-      console.warn(
-        `caddyApiUrl is empty after trimming. Falling back to ${DEFAULT_CADDY_API_URL}.`
-      );
-    }
+  const normalizedApiUrl = caddyApiUrl ? normalizeCaddyApiUrl(caddyApiUrl) : null;
+  const pluginCaddyApiUrl = normalizedApiUrl ?? DEFAULT_CADDY_API_URL;
+  const normalizedAdminOrigin = caddyAdminOrigin ? normalizeCaddyAdminOrigin(caddyAdminOrigin) : null;
+  const pluginCaddyAdminOrigin = normalizedAdminOrigin ?? pluginCaddyApiUrl;
+  if (caddyApiUrl !== void 0 && !normalizedApiUrl) {
+    console.warn(
+      `caddyApiUrl is empty after trimming. Falling back to ${DEFAULT_CADDY_API_URL}.`
+    );
+  }
+  if (caddyAdminOrigin !== void 0 && !normalizedAdminOrigin) {
+    console.warn(
+      `caddyAdminOrigin is invalid. Falling back to ${pluginCaddyApiUrl}.`
+    );
+  }
+  function getInstanceKey(domains, configRoot) {
+    const keyMaterial = JSON.stringify({
+      domains: [...domains].sort(),
+      cwd: process.cwd(),
+      root: configRoot ?? null
+    });
+    return createHash2("sha1").update(keyMaterial).digest("hex").slice(0, 12);
   }
   function isPreviewServer(server) {
     return server.config.isProduction;
@@ -440,10 +753,11 @@ function viteCaddyTlsPlugin({
       baseDomain,
       loopbackDomain,
       repo,
-      branch
+      branch,
+      instanceLabel
     });
     const domainArray = resolvedDomains ?? [];
-    const routeId = `vite-proxy-${Date.now()}-${Math.floor(Math.random() * 1e3)}`;
+    const routeId = `vite-proxy-${getInstanceKey(domainArray, config.root)}`;
     const shouldUseInternalTls = internalTls ?? (baseDomain !== void 0 || loopbackDomain !== void 0 || domain !== void 0);
     const tlsPolicyId = shouldUseInternalTls ? `${routeId}-tls` : null;
     let cleanupStarted = false;
@@ -458,6 +772,9 @@ function viteCaddyTlsPlugin({
       if (baseDomain !== void 0 && !normalizeBaseDomain(baseDomain)) {
         issues.push("`baseDomain` is empty after trimming");
       }
+      if (instanceLabel !== void 0 && !sanitizeDomainLabel(instanceLabel)) {
+        issues.push("`instanceLabel` is empty after sanitization");
+      }
       const info = getGitRepoInfo();
       const resolvedRepo = repo ?? info.repo;
       const resolvedBranch = branch ?? info.branch;
@@ -553,9 +870,15 @@ function viteCaddyTlsPlugin({
       if (cleanupStarted) return;
       cleanupStarted = true;
       if (tlsPolicyId) {
-        await removeWithRetry(() => removeTlsPolicy(tlsPolicyId), "TLS policy");
+        await removeWithRetry(
+          () => removeTlsPolicy(tlsPolicyId, pluginCaddyApiUrl, pluginCaddyAdminOrigin),
+          "TLS policy"
+        );
       }
-      await removeWithRetry(() => removeRoute(routeId), "route");
+      await removeWithRetry(
+        () => removeRoute(routeId, pluginCaddyApiUrl, pluginCaddyAdminOrigin),
+        "route"
+      );
     }
     function onServerClose() {
       void cleanupRoute();
@@ -599,32 +922,38 @@ function viteCaddyTlsPlugin({
       if (!validateCaddyIsInstalled()) {
         return;
       }
-      let running = await isCaddyRunning();
-      if (!running) {
-        running = await startCaddy();
-        if (!running) {
-          console.error("Failed to start Caddy server.");
-          return;
-        }
-      }
       try {
-        await ensureBaseConfig(serverName);
+        await ensureCaddyReady(serverName, pluginCaddyApiUrl, pluginCaddyAdminOrigin);
       } catch (e) {
         console.error(
-          `Failed to configure Caddy base settings. Is the Caddy Admin API reachable at ${getCaddyApiUrl()}?`,
+          `Failed to configure Caddy base settings. Is the Caddy Admin API reachable at ${pluginCaddyApiUrl}?`,
           e
         );
         return;
       }
       const port = getServerPort();
       const upstreamHost = getUpstreamHost();
+      await cleanupStaleRoutesForDomains(
+        domainArray,
+        routeId,
+        serverName,
+        pluginCaddyApiUrl,
+        pluginCaddyAdminOrigin
+      );
+      await removeRoute(routeId, pluginCaddyApiUrl, pluginCaddyAdminOrigin);
       if (tlsPolicyId) {
+        await removeTlsPolicy(tlsPolicyId, pluginCaddyApiUrl, pluginCaddyAdminOrigin);
         try {
-          await addTlsPolicy(tlsPolicyId, domainArray);
+          await addTlsPolicy(
+            tlsPolicyId,
+            domainArray,
+            pluginCaddyApiUrl,
+            pluginCaddyAdminOrigin
+          );
           tlsPolicyAdded = true;
         } catch (e) {
           console.error(
-            `Failed to add TLS policy to Caddy. Is the Caddy Admin API reachable at ${getCaddyApiUrl()}?`,
+            `Failed to add TLS policy to Caddy. Is the Caddy Admin API reachable at ${pluginCaddyApiUrl}?`,
             e
           );
           return;
@@ -638,14 +967,16 @@ function viteCaddyTlsPlugin({
           cors,
           serverName,
           upstreamHost,
-          upstreamHostHeader
+          upstreamHostHeader,
+          pluginCaddyApiUrl,
+          pluginCaddyAdminOrigin
         );
       } catch (e) {
         if (tlsPolicyAdded && tlsPolicyId) {
-          await removeTlsPolicy(tlsPolicyId);
+          await removeTlsPolicy(tlsPolicyId, pluginCaddyApiUrl, pluginCaddyAdminOrigin);
         }
         console.error(
-          `Failed to add route to Caddy. Is the Caddy Admin API reachable at ${getCaddyApiUrl()}?`,
+          `Failed to add route to Caddy. Is the Caddy Admin API reachable at ${pluginCaddyApiUrl}?`,
           e
         );
         return;
@@ -708,7 +1039,8 @@ function viteCaddyTlsPlugin({
         baseDomain,
         loopbackDomain,
         repo,
-        branch
+        branch,
+        instanceLabel
       });
       const defaultHmrDomain = resolvedDomains?.[0];
       const hmrConfig = userConfig.server?.hmr === void 0 && defaultHmrDomain ? {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vite-plugin-caddy-multiple-tls",
-  "version": "1.5.1",
+  "version": "1.6.1",
   "description": "Vite plugin that uses Caddy to provide local HTTPS with derived domains.",
   "keywords": [
     "vite",