vite-plugin-caddy-multiple-tls 1.6.0 → 1.6.1

package/README.md

@@ -136,6 +136,40 @@ const config = defineConfig({
 export default config;
 ```
 
+If your Caddy Admin API enforces a specific allowed origin that differs from `caddyApiUrl`, set `caddyAdminOrigin`.
+
+```js
+// vite.config.js
+import { defineConfig } from 'vite';
+import caddyTls from 'vite-plugin-caddy-multiple-tls';
+
+const config = defineConfig({
+  plugins: [
+    caddyTls({
+      caddyApiUrl: 'http://127.0.0.1:2019',
+      caddyAdminOrigin: 'http://localhost:2019',
+    })
+  ]
+});
+
+export default config;
+```
+
+## Troubleshooting
+
+### `client is not allowed to access from origin ''`
+
+This error comes from Caddy Admin API origin enforcement, not from Caddy being down.
+
+- Check `caddyApiUrl` points to the correct Admin API endpoint.
+- If Admin API expects a different origin than the API URL host, set `caddyAdminOrigin`.
+- Verify behavior directly:
+
+```bash
+curl -i http://127.0.0.1:2019/config/
+curl -i -H 'Origin: http://127.0.0.1:2019' http://127.0.0.1:2019/config/
+```
+
 > [!IMPORTANT]  
 > **Hosts file limitation:** If you use a custom domain, you must **manually** add each generated subdomain to your `/etc/hosts` file (e.g., `127.0.0.1 repo.branch.local.example.test`). System hosts files **do not support wildcards** (e.g., `*.local.example.test`), so you lose the benefit of automatic domain resolution that `localhost` provides.
 

package/dist/index.d.ts

@@ -18,6 +18,8 @@ interface ViteCaddyTlsPluginOptions {
     serverName?: string;
     /** Override the Caddy Admin API base URL (default: http://localhost:2019) */
     caddyApiUrl?: string;
+    /** Override the Origin header used for Caddy Admin API requests (defaults to caddyApiUrl origin) */
+    caddyAdminOrigin?: string;
     /** Use Caddy's internal CA for the provided domains (defaults to true when baseDomain or domain is set) */
     internalTls?: boolean;
     /**
@@ -39,6 +41,6 @@ type LoopbackDomain = 'localtest.me' | 'lvh.me' | 'nip.io';
  * ```
  * @returns {Plugin} - a Vite plugin
  */
-declare function viteCaddyTlsPlugin({ domain, baseDomain, loopbackDomain, repo, branch, instanceLabel, cors, serverName, caddyApiUrl, internalTls, upstreamHostHeader, }?: ViteCaddyTlsPluginOptions): PluginOption;
+declare function viteCaddyTlsPlugin({ domain, baseDomain, loopbackDomain, repo, branch, instanceLabel, cors, serverName, caddyApiUrl, caddyAdminOrigin, internalTls, upstreamHostHeader, }?: ViteCaddyTlsPluginOptions): PluginOption;
 
 export { type ViteCaddyTlsPluginOptions, viteCaddyTlsPlugin as default };

package/dist/index.js

@@ -11,6 +11,18 @@ import os from "os";
 import path from "path";
 var DEFAULT_SERVER_NAME = "srv0";
 var DEFAULT_CADDY_API_URL = "http://localhost:2019";
+var CADDY_ADMIN_ORIGIN_POLICY_ERROR_MESSAGE = "Caddy Admin API rejected request due to origin policy. Check caddyApiUrl and admin origin settings.";
+var CONNECTIVITY_ERROR_CODES = /* @__PURE__ */ new Set([
+  "ECONNREFUSED",
+  "ECONNRESET",
+  "EHOSTUNREACH",
+  "ENETUNREACH",
+  "ENOTFOUND",
+  "ETIMEDOUT",
+  "UND_ERR_CONNECT_TIMEOUT",
+  "UND_ERR_HEADERS_TIMEOUT",
+  "UND_ERR_SOCKET"
+]);
 function isRecord(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
@@ -28,6 +40,90 @@ function isTlsPolicyOverlapError(text) {
 function getApiUrl(apiUrl) {
   return apiUrl ?? DEFAULT_CADDY_API_URL;
 }
+function toError(error) {
+  if (error instanceof Error) return error;
+  return new Error(String(error));
+}
+function isOriginPolicyError(status, text) {
+  if (status !== 403) return false;
+  const normalizedText = text.toLowerCase();
+  return normalizedText.includes("origin") && normalizedText.includes("not allowed");
+}
+function buildCaddyRequestError(message, status, text) {
+  if (isOriginPolicyError(status, text)) {
+    return new Error(CADDY_ADMIN_ORIGIN_POLICY_ERROR_MESSAGE);
+  }
+  const normalizedText = text.trim();
+  if (!normalizedText) {
+    return new Error(`${message}: HTTP ${status}`);
+  }
+  return new Error(`${message}: ${normalizedText}`);
+}
+function getErrorCode(error) {
+  if (!error || typeof error !== "object") return void 0;
+  if ("code" in error && typeof error.code === "string") {
+    return error.code;
+  }
+  if ("cause" in error) {
+    const cause = error.cause;
+    if (cause && typeof cause === "object") {
+      if ("code" in cause && typeof cause.code === "string") {
+        return cause.code;
+      }
+    }
+  }
+  return void 0;
+}
+function isConnectivityError(error) {
+  const code = getErrorCode(error);
+  return Boolean(code) && CONNECTIVITY_ERROR_CODES.has(code);
+}
+function getAdminOrigin(apiUrl, adminOrigin) {
+  const originSource = adminOrigin ?? getApiUrl(apiUrl);
+  try {
+    return new URL(originSource).origin;
+  } catch (e) {
+    return new URL(getApiUrl(apiUrl)).origin;
+  }
+}
+async function caddyFetch(input, init, apiUrl, adminOrigin) {
+  const headers = new Headers(init?.headers);
+  headers.set("Origin", getAdminOrigin(apiUrl, adminOrigin));
+  return fetch(input, {
+    ...init,
+    headers
+  });
+}
+async function checkCaddyAdminStatus(apiUrl, adminOrigin) {
+  try {
+    const res = await caddyFetch(`${getApiUrl(apiUrl)}/config/`, void 0, apiUrl, adminOrigin);
+    if (res.ok) {
+      return { status: "running" };
+    }
+    const text = await res.text();
+    return {
+      status: "api-error",
+      error: buildCaddyRequestError("Failed to read Caddy config", res.status, text)
+    };
+  } catch (e) {
+    const error = toError(e);
+    if (isConnectivityError(error)) {
+      return {
+        status: "connectivity-error",
+        error
+      };
+    }
+    return {
+      status: "api-error",
+      error
+    };
+  }
+}
+async function assertCaddyResponse(res, message) {
+  if (res.ok) return;
+  const text = await res.text();
+  throw buildCaddyRequestError(message, res.status, text);
+}
 function getLockPath(apiUrl) {
   const key = createHash("sha1").update(getApiUrl(apiUrl)).digest("hex").slice(0, 12);
   return path.join(os.tmpdir(), `vite-plugin-caddy-multiple-tls-${key}.lock`);
@@ -70,30 +166,36 @@ function validateCaddyIsInstalled() {
     return false;
   }
 }
-async function isCaddyRunning(apiUrl) {
-  try {
-    const res = await fetch(`${getApiUrl(apiUrl)}/config/`);
-    return res.ok;
-  } catch (e) {
-    return false;
-  }
-}
-async function startCaddy(apiUrl) {
+async function startCaddy(apiUrl, adminOrigin) {
   try {
     execSync("caddy start", { stdio: "ignore" });
   } catch (e) {
   }
   for (let i = 0; i < 10; i++) {
-    if (await isCaddyRunning(apiUrl)) return true;
+    const status = await checkCaddyAdminStatus(apiUrl, adminOrigin);
+    if (status.status === "running") return true;
+    if (status.status === "api-error") {
+      throw status.error;
+    }
     await sleep(500);
   }
   return false;
 }
-async function ensureBaseConfig(serverName = DEFAULT_SERVER_NAME, apiUrl) {
+async function ensureBaseConfig(serverName = DEFAULT_SERVER_NAME, apiUrl, adminOrigin) {
   const resolvedApiUrl = getApiUrl(apiUrl);
   const serverUrl = `${resolvedApiUrl}/config/apps/http/servers/${serverName}`;
-  const res = await fetch(serverUrl);
+  const res = await caddyFetch(serverUrl, void 0, apiUrl, adminOrigin);
   if (res.ok) return;
+  if (res.status === 403) {
+    const text = await res.text();
+    if (isOriginPolicyError(res.status, text)) {
+      throw buildCaddyRequestError(
+        "Failed to initialize Caddy base configuration",
+        res.status,
+        text
+      );
+    }
+  }
   const baseConfig = {
     listen: [":443"],
     routes: []
@@ -103,11 +205,13 @@ async function ensureBaseConfig(serverName = DEFAULT_SERVER_NAME, apiUrl) {
       [serverName]: baseConfig
     }
   };
-  const configRes = await fetch(`${resolvedApiUrl}/config/`);
-  if (!configRes.ok) {
-    const text = await configRes.text();
-    throw new Error(`Failed to read Caddy config: ${text}`);
-  }
+  const configRes = await caddyFetch(
+    `${resolvedApiUrl}/config/`,
+    void 0,
+    apiUrl,
+    adminOrigin
+  );
+  await assertCaddyResponse(configRes, "Failed to read Caddy config");
   const configText = await configRes.text();
   const config = parseConfig(configText);
   if (config === void 0) {
@@ -115,18 +219,27 @@ async function ensureBaseConfig(serverName = DEFAULT_SERVER_NAME, apiUrl) {
   }
   const isEmptyConfig = configText.trim() === "" || config === null || isRecord(config) && Object.keys(config).length === 0;
   if (isEmptyConfig) {
-    const loadRes = await fetch(`${resolvedApiUrl}/load`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({
-        apps: {
-          http: httpAppConfig
-        }
-      })
-    });
+    const loadRes = await caddyFetch(
+      `${resolvedApiUrl}/load`,
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          apps: {
+            http: httpAppConfig
+          }
+        })
+      },
+      apiUrl,
+      adminOrigin
+    );
     if (!loadRes.ok) {
       const text = await loadRes.text();
-      throw new Error(`Failed to initialize Caddy base configuration: ${text}`);
+      throw buildCaddyRequestError(
+        "Failed to initialize Caddy base configuration",
+        loadRes.status,
+        text
+      );
     }
     return;
   }
@@ -137,82 +250,136 @@ async function ensureBaseConfig(serverName = DEFAULT_SERVER_NAME, apiUrl) {
   let hasHttp = isRecord(http);
   let hasServers = isRecord(servers);
   if (!hasApps) {
-    const createAppsRes = await fetch(`${resolvedApiUrl}/config/apps`, {
-      method: "PUT",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({})
-    });
+    const createAppsRes = await caddyFetch(
+      `${resolvedApiUrl}/config/apps`,
+      {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({})
+      },
+      apiUrl,
+      adminOrigin
+    );
     if (!createAppsRes.ok && createAppsRes.status !== 409) {
       const text = await createAppsRes.text();
-      throw new Error(`Failed to initialize Caddy base configuration: ${text}`);
+      throw buildCaddyRequestError(
+        "Failed to initialize Caddy base configuration",
+        createAppsRes.status,
+        text
+      );
     }
     hasApps = true;
   }
   if (!hasHttp) {
-    const createHttpRes = await fetch(`${resolvedApiUrl}/config/apps/http`, {
-      method: "PUT",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ servers: {} })
-    });
+    const createHttpRes = await caddyFetch(
+      `${resolvedApiUrl}/config/apps/http`,
+      {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ servers: {} })
+      },
+      apiUrl,
+      adminOrigin
+    );
     if (!createHttpRes.ok && createHttpRes.status !== 409) {
       const text = await createHttpRes.text();
-      throw new Error(`Failed to initialize Caddy base configuration: ${text}`);
+      throw buildCaddyRequestError(
+        "Failed to initialize Caddy base configuration",
+        createHttpRes.status,
+        text
+      );
     }
     hasHttp = true;
     hasServers = true;
   }
   if (!hasServers) {
-    const createServersRes = await fetch(`${resolvedApiUrl}/config/apps/http/servers`, {
-      method: "PUT",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({})
-    });
+    const createServersRes = await caddyFetch(
+      `${resolvedApiUrl}/config/apps/http/servers`,
+      {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({})
+      },
+      apiUrl,
+      adminOrigin
+    );
     if (!createServersRes.ok && createServersRes.status !== 409) {
       const text = await createServersRes.text();
-      throw new Error(`Failed to initialize Caddy base configuration: ${text}`);
+      throw buildCaddyRequestError(
+        "Failed to initialize Caddy base configuration",
+        createServersRes.status,
+        text
+      );
     }
   }
-  const createServerRes = await fetch(serverUrl, {
-    method: "PUT",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify(baseConfig)
-  });
+  const createServerRes = await caddyFetch(
+    serverUrl,
+    {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(baseConfig)
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (!createServerRes.ok && createServerRes.status !== 409) {
     const text = await createServerRes.text();
-    throw new Error(`Failed to initialize Caddy base configuration: ${text}`);
+    throw buildCaddyRequestError(
+      "Failed to initialize Caddy base configuration",
+      createServerRes.status,
+      text
+    );
   }
 }
-async function ensureTlsAutomation(apiUrl) {
+async function ensureTlsAutomation(apiUrl, adminOrigin) {
   const resolvedApiUrl = getApiUrl(apiUrl);
   const policiesUrl = `${resolvedApiUrl}/config/apps/tls/automation/policies`;
-  const policiesRes = await fetch(policiesUrl);
+  const policiesRes = await caddyFetch(policiesUrl, void 0, apiUrl, adminOrigin);
   if (policiesRes.ok) return;
   const policiesText = await policiesRes.text();
   if (policiesRes.status !== 404 && !policiesText.includes("invalid traversal path")) {
-    throw new Error(
-      `Failed to initialize Caddy TLS automation: ${policiesText}`
+    throw buildCaddyRequestError(
+      "Failed to initialize Caddy TLS automation",
+      policiesRes.status,
+      policiesText
     );
   }
-  const automationRes = await fetch(`${resolvedApiUrl}/config/apps/tls/automation`, {
-    method: "PUT",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ policies: [] })
-  });
+  const automationRes = await caddyFetch(
+    `${resolvedApiUrl}/config/apps/tls/automation`,
+    {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ policies: [] })
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (automationRes.ok || automationRes.status === 409) return;
   const automationText = await automationRes.text();
   if (!automationText.includes("invalid traversal path")) {
-    throw new Error(
-      `Failed to initialize Caddy TLS automation: ${automationText}`
+    throw buildCaddyRequestError(
+      "Failed to initialize Caddy TLS automation",
+      automationRes.status,
+      automationText
     );
   }
-  const tlsRes = await fetch(`${resolvedApiUrl}/config/apps/tls`, {
-    method: "PUT",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ automation: { policies: [] } })
-  });
+  const tlsRes = await caddyFetch(
+    `${resolvedApiUrl}/config/apps/tls`,
+    {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ automation: { policies: [] } })
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (!tlsRes.ok && tlsRes.status !== 409) {
     const text = await tlsRes.text();
-    throw new Error(`Failed to initialize Caddy TLS automation: ${text}`);
+    throw buildCaddyRequestError(
+      "Failed to initialize Caddy TLS automation",
+      tlsRes.status,
+      text
+    );
   }
 }
 function formatDialAddress(host, port) {
@@ -241,10 +408,13 @@ function intersectsDomains(targetDomains, routeDomains) {
   const targetSet = new Set(targetDomains);
   return routeDomains.some((domain) => targetSet.has(domain));
 }
-async function cleanupStaleRoutesForDomains(domains, currentRouteId, serverName = DEFAULT_SERVER_NAME, apiUrl) {
+async function cleanupStaleRoutesForDomains(domains, currentRouteId, serverName = DEFAULT_SERVER_NAME, apiUrl, adminOrigin) {
   if (domains.length === 0) return;
-  const res = await fetch(
-    `${getApiUrl(apiUrl)}/config/apps/http/servers/${serverName}/routes`
+  const res = await caddyFetch(
+    `${getApiUrl(apiUrl)}/config/apps/http/servers/${serverName}/routes`,
+    void 0,
+    apiUrl,
+    adminOrigin
   );
   if (!res.ok) return;
   const text = await res.text();
@@ -258,10 +428,10 @@ async function cleanupStaleRoutesForDomains(domains, currentRouteId, serverName
     if (id === currentRouteId) continue;
     const routeDomains = extractMatchedHosts(route);
     if (!intersectsDomains(domains, routeDomains)) continue;
-    await removeRoute(id, apiUrl);
+    await removeRoute(id, apiUrl, adminOrigin);
   }
 }
-async function addRoute(id, domains, port, cors, serverName = DEFAULT_SERVER_NAME, upstreamHost = "127.0.0.1", upstreamHostHeader, apiUrl) {
+async function addRoute(id, domains, port, cors, serverName = DEFAULT_SERVER_NAME, upstreamHost = "127.0.0.1", upstreamHostHeader, apiUrl, adminOrigin) {
   const handlers = [];
   if (cors) {
     handlers.push({
@@ -311,22 +481,24 @@ async function addRoute(id, domains, port, cors, serverName = DEFAULT_SERVER_NAM
     ],
     terminal: true
   };
-  const res = await fetch(
+  const res = await caddyFetch(
     `${getApiUrl(apiUrl)}/config/apps/http/servers/${serverName}/routes`,
     {
       method: "POST",
       // Append to routes list
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify(route)
-    }
+    },
+    apiUrl,
+    adminOrigin
   );
   if (!res.ok) {
     const text = await res.text();
-    throw new Error(`Failed to add route: ${text}`);
+    throw buildCaddyRequestError("Failed to add route", res.status, text);
   }
 }
-async function addTlsPolicy(id, domains, apiUrl) {
-  await ensureTlsAutomation(apiUrl);
+async function addTlsPolicy(id, domains, apiUrl, adminOrigin) {
+  await ensureTlsAutomation(apiUrl, adminOrigin);
   const policy = {
     "@id": id,
     subjects: domains,
@@ -336,49 +508,76 @@ async function addTlsPolicy(id, domains, apiUrl) {
       }
     ]
   };
-  const res = await fetch(`${getApiUrl(apiUrl)}/config/apps/tls/automation/policies`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify(policy)
-  });
+  const res = await caddyFetch(
+    `${getApiUrl(apiUrl)}/config/apps/tls/automation/policies`,
+    {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(policy)
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (!res.ok) {
     const text = await res.text();
     if (isTlsPolicyOverlapError(text)) {
       return;
     }
-    throw new Error(`Failed to add TLS policy: ${text}`);
+    throw buildCaddyRequestError("Failed to add TLS policy", res.status, text);
   }
 }
-async function removeRoute(id, apiUrl) {
-  const res = await fetch(`${getApiUrl(apiUrl)}/id/${id}`, {
-    method: "DELETE"
-  });
+async function removeRoute(id, apiUrl, adminOrigin) {
+  const res = await caddyFetch(
+    `${getApiUrl(apiUrl)}/id/${id}`,
+    {
+      method: "DELETE"
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (!res.ok && res.status !== 404) {
-    console.error(`Failed to remove route ${id}`);
+    const text = await res.text();
+    const error = buildCaddyRequestError(`Failed to remove route ${id}`, res.status, text);
+    console.error(error.message);
     return false;
   }
   return true;
 }
-async function removeTlsPolicy(id, apiUrl) {
-  const res = await fetch(`${getApiUrl(apiUrl)}/id/${id}`, {
-    method: "DELETE"
-  });
+async function removeTlsPolicy(id, apiUrl, adminOrigin) {
+  const res = await caddyFetch(
+    `${getApiUrl(apiUrl)}/id/${id}`,
+    {
+      method: "DELETE"
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (!res.ok && res.status !== 404) {
-    console.error(`Failed to remove TLS policy ${id}`);
+    const text = await res.text();
+    const error = buildCaddyRequestError(
+      `Failed to remove TLS policy ${id}`,
+      res.status,
+      text
+    );
+    console.error(error.message);
     return false;
   }
   return true;
 }
-async function ensureCaddyReady(serverName = DEFAULT_SERVER_NAME, apiUrl) {
+async function ensureCaddyReady(serverName = DEFAULT_SERVER_NAME, apiUrl, adminOrigin) {
   await withApiLock(apiUrl, async () => {
-    let running = await isCaddyRunning(apiUrl);
-    if (!running) {
-      running = await startCaddy(apiUrl);
+    const status = await checkCaddyAdminStatus(apiUrl, adminOrigin);
+    if (status.status === "api-error") {
+      throw status.error;
+    }
+    let running = status.status === "running";
+    if (status.status === "connectivity-error") {
+      running = await startCaddy(apiUrl, adminOrigin);
     }
     if (!running) {
       throw new Error("Failed to start Caddy server.");
     }
-    await ensureBaseConfig(serverName, apiUrl);
+    await ensureBaseConfig(serverName, apiUrl, adminOrigin);
   });
 }
 
@@ -474,6 +673,15 @@ function normalizeCaddyApiUrl(url) {
   if (!trimmed) return null;
   return trimmed.replace(/\/+$/g, "");
 }
+function normalizeCaddyAdminOrigin(origin) {
+  const trimmed = origin.trim();
+  if (!trimmed) return null;
+  try {
+    return new URL(trimmed).origin;
+  } catch (e) {
+    return null;
+  }
+}
 function resolveDomains(options) {
   if (options.domain) {
     return normalizeDomains(options.domain);
@@ -492,16 +700,24 @@ function viteCaddyTlsPlugin({
   cors,
   serverName,
   caddyApiUrl,
+  caddyAdminOrigin,
   internalTls,
   upstreamHostHeader
 } = {}) {
   const normalizedApiUrl = caddyApiUrl ? normalizeCaddyApiUrl(caddyApiUrl) : null;
   const pluginCaddyApiUrl = normalizedApiUrl ?? DEFAULT_CADDY_API_URL;
+  const normalizedAdminOrigin = caddyAdminOrigin ? normalizeCaddyAdminOrigin(caddyAdminOrigin) : null;
+  const pluginCaddyAdminOrigin = normalizedAdminOrigin ?? pluginCaddyApiUrl;
   if (caddyApiUrl !== void 0 && !normalizedApiUrl) {
     console.warn(
       `caddyApiUrl is empty after trimming. Falling back to ${DEFAULT_CADDY_API_URL}.`
     );
   }
+  if (caddyAdminOrigin !== void 0 && !normalizedAdminOrigin) {
+    console.warn(
+      `caddyAdminOrigin is invalid. Falling back to ${pluginCaddyApiUrl}.`
+    );
+  }
   function getInstanceKey(domains, configRoot) {
     const keyMaterial = JSON.stringify({
       domains: [...domains].sort(),
@@ -655,11 +871,14 @@ function viteCaddyTlsPlugin({
       cleanupStarted = true;
       if (tlsPolicyId) {
         await removeWithRetry(
-          () => removeTlsPolicy(tlsPolicyId, pluginCaddyApiUrl),
+          () => removeTlsPolicy(tlsPolicyId, pluginCaddyApiUrl, pluginCaddyAdminOrigin),
           "TLS policy"
         );
       }
-      await removeWithRetry(() => removeRoute(routeId, pluginCaddyApiUrl), "route");
+      await removeWithRetry(
+        () => removeRoute(routeId, pluginCaddyApiUrl, pluginCaddyAdminOrigin),
+        "route"
+      );
     }
     function onServerClose() {
       void cleanupRoute();
@@ -704,7 +923,7 @@ function viteCaddyTlsPlugin({
         return;
       }
       try {
-        await ensureCaddyReady(serverName, pluginCaddyApiUrl);
+        await ensureCaddyReady(serverName, pluginCaddyApiUrl, pluginCaddyAdminOrigin);
       } catch (e) {
         console.error(
           `Failed to configure Caddy base settings. Is the Caddy Admin API reachable at ${pluginCaddyApiUrl}?`,
@@ -718,13 +937,19 @@ function viteCaddyTlsPlugin({
         domainArray,
         routeId,
         serverName,
-        pluginCaddyApiUrl
+        pluginCaddyApiUrl,
+        pluginCaddyAdminOrigin
       );
-      await removeRoute(routeId, pluginCaddyApiUrl);
+      await removeRoute(routeId, pluginCaddyApiUrl, pluginCaddyAdminOrigin);
       if (tlsPolicyId) {
-        await removeTlsPolicy(tlsPolicyId, pluginCaddyApiUrl);
+        await removeTlsPolicy(tlsPolicyId, pluginCaddyApiUrl, pluginCaddyAdminOrigin);
         try {
-          await addTlsPolicy(tlsPolicyId, domainArray, pluginCaddyApiUrl);
+          await addTlsPolicy(
+            tlsPolicyId,
+            domainArray,
+            pluginCaddyApiUrl,
+            pluginCaddyAdminOrigin
+          );
           tlsPolicyAdded = true;
         } catch (e) {
           console.error(
@@ -743,11 +968,12 @@ function viteCaddyTlsPlugin({
           serverName,
           upstreamHost,
           upstreamHostHeader,
-          pluginCaddyApiUrl
+          pluginCaddyApiUrl,
+          pluginCaddyAdminOrigin
         );
       } catch (e) {
         if (tlsPolicyAdded && tlsPolicyId) {
-          await removeTlsPolicy(tlsPolicyId, pluginCaddyApiUrl);
+          await removeTlsPolicy(tlsPolicyId, pluginCaddyApiUrl, pluginCaddyAdminOrigin);
         }
         console.error(
           `Failed to add route to Caddy. Is the Caddy Admin API reachable at ${pluginCaddyApiUrl}?`,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vite-plugin-caddy-multiple-tls",
-  "version": "1.6.0",
+  "version": "1.6.1",
   "description": "Vite plugin that uses Caddy to provide local HTTPS with derived domains.",
   "keywords": [
     "vite",