vite-plugin-caddy-multiple-tls 1.6.0 → 1.7.0

package/README.md

@@ -112,6 +112,10 @@ export default config;
 
 This derives a host like `<repo>.<branch>.web-1.localhost`.
 
+The plugin now treats hostname ownership as explicit. If another live Vite server already owns the resolved domain, it will refuse takeover instead of deleting the other server's route. Use `instanceLabel`, `domain`, or stop the other server first.
+
+If a previous Vite process crashed and left stale ownership behind, the plugin will reclaim it automatically and clean up the stale Caddy route before continuing.
+
 For a zero-config experience, use `baseDomain: 'localhost'` (the default) so the derived domain works without editing `/etc/hosts`.
 
 `internalTls` defaults to `true` when you pass `baseDomain` or `domain`. You can override it if needed.
@@ -136,6 +140,48 @@ const config = defineConfig({
 export default config;
 ```
 
+If your Caddy Admin API enforces a specific allowed origin that differs from `caddyApiUrl`, set `caddyAdminOrigin`.
+
+```js
+// vite.config.js
+import { defineConfig } from 'vite';
+import caddyTls from 'vite-plugin-caddy-multiple-tls';
+
+const config = defineConfig({
+  plugins: [
+    caddyTls({
+      caddyApiUrl: 'http://127.0.0.1:2019',
+      caddyAdminOrigin: 'http://localhost:2019',
+    })
+  ]
+});
+
+export default config;
+```
+
+## Troubleshooting
+
+### `Cannot claim ... another Vite server already owns this domain`
+
+This means another live dev server is already using the resolved hostname.
+
+- Stop the other server if you want this one to use the same host.
+- Add `instanceLabel` if both servers should run at the same time.
+- Pass an explicit `domain` if you want total control over the hostname.
+
+### `client is not allowed to access from origin ''`
+
+This error comes from Caddy Admin API origin enforcement, not from Caddy being down.
+
+- Check `caddyApiUrl` points to the correct Admin API endpoint.
+- If Admin API expects a different origin than the API URL host, set `caddyAdminOrigin`.
+- Verify behavior directly:
+
+```bash
+curl -i http://127.0.0.1:2019/config/
+curl -i -H 'Origin: http://127.0.0.1:2019' http://127.0.0.1:2019/config/
+```
+
 > [!IMPORTANT]  
 > **Hosts file limitation:** If you use a custom domain, you must **manually** add each generated subdomain to your `/etc/hosts` file (e.g., `127.0.0.1 repo.branch.local.example.test`). System hosts files **do not support wildcards** (e.g., `*.local.example.test`), so you lose the benefit of automatic domain resolution that `localhost` provides.
 

package/dist/index.d.ts

@@ -18,6 +18,8 @@ interface ViteCaddyTlsPluginOptions {
     serverName?: string;
     /** Override the Caddy Admin API base URL (default: http://localhost:2019) */
     caddyApiUrl?: string;
+    /** Override the Origin header used for Caddy Admin API requests (defaults to caddyApiUrl origin) */
+    caddyAdminOrigin?: string;
     /** Use Caddy's internal CA for the provided domains (defaults to true when baseDomain or domain is set) */
     internalTls?: boolean;
     /**
@@ -39,6 +41,6 @@ type LoopbackDomain = 'localtest.me' | 'lvh.me' | 'nip.io';
  * ```
  * @returns {Plugin} - a Vite plugin
  */
-declare function viteCaddyTlsPlugin({ domain, baseDomain, loopbackDomain, repo, branch, instanceLabel, cors, serverName, caddyApiUrl, internalTls, upstreamHostHeader, }?: ViteCaddyTlsPluginOptions): PluginOption;
+declare function viteCaddyTlsPlugin({ domain, baseDomain, loopbackDomain, repo, branch, instanceLabel, cors, serverName, caddyApiUrl, caddyAdminOrigin, internalTls, upstreamHostHeader, }?: ViteCaddyTlsPluginOptions): PluginOption;
 
 export { type ViteCaddyTlsPluginOptions, viteCaddyTlsPlugin as default };

package/dist/index.js

@@ -1,19 +1,88 @@
 // src/index.ts
 import { execSync as execSync2 } from "child_process";
-import { createHash as createHash2 } from "crypto";
+import { randomUUID } from "crypto";
 import path2 from "path";
 
 // src/utils.ts
 import { execSync } from "child_process";
 import { createHash } from "crypto";
-import { open, unlink } from "fs/promises";
+import { mkdir, open, readFile, readdir, rename, unlink, writeFile } from "fs/promises";
 import os from "os";
 import path from "path";
 var DEFAULT_SERVER_NAME = "srv0";
 var DEFAULT_CADDY_API_URL = "http://localhost:2019";
+var CADDY_ADMIN_ORIGIN_POLICY_ERROR_MESSAGE = "Caddy Admin API rejected request due to origin policy. Check caddyApiUrl and admin origin settings.";
+var ROUTE_ID_PREFIX = "vite-proxy-";
+var LOCK_TIMEOUT_MS = 5e3;
+var LOCK_RETRY_MS = 50;
+var ROUTE_OWNERSHIP_VERSION = 1;
+var ROUTE_OWNERSHIP_STALE_AFTER_MS = 3e4;
+var ROUTE_OWNERSHIP_HEARTBEAT_INTERVAL_MS = 1e4;
+var CONNECTIVITY_ERROR_CODES = /* @__PURE__ */ new Set([
+  "ECONNREFUSED",
+  "ECONNRESET",
+  "EHOSTUNREACH",
+  "ENETUNREACH",
+  "ENOTFOUND",
+  "ETIMEDOUT",
+  "UND_ERR_CONNECT_TIMEOUT",
+  "UND_ERR_HEADERS_TIMEOUT",
+  "UND_ERR_SOCKET"
+]);
 function isRecord(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
+function normalizeRouteOwnershipDomains(domains) {
+  return Array.from(new Set(domains)).sort();
+}
+function getRouteOwnershipDirectory() {
+  return path.join(os.tmpdir(), "vite-plugin-caddy-multiple-tls", "owners");
+}
+function getRouteOwnershipPaths(scope) {
+  const key = createHash("sha1").update(
+    JSON.stringify({
+      domains: normalizeRouteOwnershipDomains(scope.domains),
+      serverName: scope.serverName,
+      caddyApiUrl: scope.caddyApiUrl
+    })
+  ).digest("hex").slice(0, 20);
+  const scopeLockKey = createHash("sha1").update(
+    JSON.stringify({
+      serverName: scope.serverName,
+      caddyApiUrl: scope.caddyApiUrl
+    })
+  ).digest("hex").slice(0, 20);
+  const directory = getRouteOwnershipDirectory();
+  return {
+    directory,
+    recordPath: path.join(directory, `${key}.json`),
+    lockPath: path.join(directory, `scope-${scopeLockKey}.lock`)
+  };
+}
+function isRouteOwnershipRecord(value) {
+  if (!isRecord(value)) return false;
+  if (value.version !== ROUTE_OWNERSHIP_VERSION) return false;
+  if (typeof value.ownerId !== "string" || !value.ownerId) return false;
+  if (typeof value.pid !== "number" || !Number.isFinite(value.pid)) return false;
+  if (typeof value.cwd !== "string") return false;
+  if (value.configRoot !== null && typeof value.configRoot !== "string") return false;
+  if (!Array.isArray(value.domains) || value.domains.some((domain) => typeof domain !== "string")) {
+    return false;
+  }
+  if (typeof value.routeId !== "string" || !value.routeId) return false;
+  if (value.tlsPolicyId !== null && typeof value.tlsPolicyId !== "string") return false;
+  if (typeof value.serverName !== "string" || !value.serverName) return false;
+  if (typeof value.caddyApiUrl !== "string" || !value.caddyApiUrl) return false;
+  if (typeof value.startedAt !== "number" || !Number.isFinite(value.startedAt)) return false;
+  if (typeof value.lastSeenAt !== "number" || !Number.isFinite(value.lastSeenAt)) return false;
+  return true;
+}
+function normalizeRouteOwnershipRecord(record) {
+  return {
+    ...record,
+    domains: normalizeRouteOwnershipDomains(record.domains)
+  };
+}
 function parseConfig(text) {
   if (!text.trim()) return {};
   try {
@@ -28,6 +97,93 @@ function isTlsPolicyOverlapError(text) {
 function getApiUrl(apiUrl) {
   return apiUrl ?? DEFAULT_CADDY_API_URL;
 }
+function toError(error) {
+  if (error instanceof Error) return error;
+  return new Error(String(error));
+}
+function isOriginPolicyError(status, text) {
+  if (status !== 403) return false;
+  const normalizedText = text.toLowerCase();
+  return normalizedText.includes("origin") && normalizedText.includes("not allowed");
+}
+function buildCaddyRequestError(message, status, text) {
+  if (isOriginPolicyError(status, text)) {
+    return new Error(CADDY_ADMIN_ORIGIN_POLICY_ERROR_MESSAGE);
+  }
+  const normalizedText = text.trim();
+  if (!normalizedText) {
+    return new Error(`${message}: HTTP ${status}`);
+  }
+  return new Error(`${message}: ${normalizedText}`);
+}
+function isNodeError(error) {
+  return Boolean(error) && typeof error === "object" && "code" in error;
+}
+function getErrorCode(error) {
+  if (!error || typeof error !== "object") return void 0;
+  if ("code" in error && typeof error.code === "string") {
+    return error.code;
+  }
+  if ("cause" in error) {
+    const cause = error.cause;
+    if (cause && typeof cause === "object") {
+      if ("code" in cause && typeof cause.code === "string") {
+        return cause.code;
+      }
+    }
+  }
+  return void 0;
+}
+function isConnectivityError(error) {
+  const code = getErrorCode(error);
+  return Boolean(code) && CONNECTIVITY_ERROR_CODES.has(code);
+}
+function getAdminOrigin(apiUrl, adminOrigin) {
+  const originSource = adminOrigin ?? getApiUrl(apiUrl);
+  try {
+    return new URL(originSource).origin;
+  } catch (e) {
+    return new URL(getApiUrl(apiUrl)).origin;
+  }
+}
+async function caddyFetch(input, init, apiUrl, adminOrigin) {
+  const headers = new Headers(init?.headers);
+  headers.set("Origin", getAdminOrigin(apiUrl, adminOrigin));
+  return fetch(input, {
+    ...init,
+    headers
+  });
+}
+async function checkCaddyAdminStatus(apiUrl, adminOrigin) {
+  try {
+    const res = await caddyFetch(`${getApiUrl(apiUrl)}/config/`, void 0, apiUrl, adminOrigin);
+    if (res.ok) {
+      return { status: "running" };
+    }
+    const text = await res.text();
+    return {
+      status: "api-error",
+      error: buildCaddyRequestError("Failed to read Caddy config", res.status, text)
+    };
+  } catch (e) {
+    const error = toError(e);
+    if (isConnectivityError(error)) {
+      return {
+        status: "connectivity-error",
+        error
+      };
+    }
+    return {
+      status: "api-error",
+      error
+    };
+  }
+}
+async function assertCaddyResponse(res, message) {
+  if (res.ok) return;
+  const text = await res.text();
+  throw buildCaddyRequestError(message, res.status, text);
+}
 function getLockPath(apiUrl) {
   const key = createHash("sha1").update(getApiUrl(apiUrl)).digest("hex").slice(0, 12);
   return path.join(os.tmpdir(), `vite-plugin-caddy-multiple-tls-${key}.lock`);
@@ -35,10 +191,9 @@ function getLockPath(apiUrl) {
 function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
-async function withApiLock(apiUrl, fn) {
-  const lockPath = getLockPath(apiUrl);
+async function withFileLock(lockPath, fn) {
+  await mkdir(path.dirname(lockPath), { recursive: true });
   const startedAt = Date.now();
-  const timeoutMs = 5e3;
   while (true) {
     try {
       const handle = await open(lockPath, "wx");
@@ -50,50 +205,196 @@ async function withApiLock(apiUrl, fn) {
       }
       return;
     } catch (e) {
-      if (e.code !== "EEXIST") {
+      if (!isNodeError(e) || e.code !== "EEXIST") {
         throw e;
       }
-      if (Date.now() - startedAt >= timeoutMs) {
+      if (Date.now() - startedAt >= LOCK_TIMEOUT_MS) {
         await fn();
         return;
       }
-      await sleep(50);
+      await sleep(LOCK_RETRY_MS);
     }
   }
 }
-function validateCaddyIsInstalled() {
+async function withApiLock(apiUrl, fn) {
+  await withFileLock(getLockPath(apiUrl), fn);
+}
+async function readRouteOwnershipByPath(recordPath) {
   try {
-    execSync("caddy version");
+    const text = await readFile(recordPath, "utf8");
+    const parsed = parseConfig(text);
+    if (!isRouteOwnershipRecord(parsed)) return null;
+    return normalizeRouteOwnershipRecord(parsed);
+  } catch (e) {
+    if (isNodeError(e) && e.code === "ENOENT") {
+      return null;
+    }
+    throw e;
+  }
+}
+async function writeRouteOwnership(record) {
+  const normalizedRecord = normalizeRouteOwnershipRecord(record);
+  const { directory, recordPath } = getRouteOwnershipPaths(normalizedRecord);
+  const tempPath = path.join(
+    directory,
+    `${path.basename(recordPath)}.${process.pid}.${Date.now()}.tmp`
+  );
+  await mkdir(directory, { recursive: true });
+  await writeFile(tempPath, JSON.stringify(normalizedRecord), "utf8");
+  await rename(tempPath, recordPath);
+}
+async function listRouteOwnershipRecords(scope) {
+  const directory = getRouteOwnershipDirectory();
+  let entries;
+  try {
+    entries = await readdir(directory);
+  } catch (e) {
+    if (isNodeError(e) && e.code === "ENOENT") {
+      return [];
+    }
+    throw e;
+  }
+  const records = await Promise.all(
+    entries.filter((entry) => entry.endsWith(".json")).map((entry) => readRouteOwnershipByPath(path.join(directory, entry)))
+  );
+  return records.filter((record) => {
+    return Boolean(
+      record && record.serverName === scope.serverName && record.caddyApiUrl === scope.caddyApiUrl
+    );
+  });
+}
+function isProcessAlive(pid) {
+  try {
+    process.kill(pid, 0);
     return true;
   } catch (e) {
-    console.error("caddy cli is not installed");
-    return false;
+    return isNodeError(e) && e.code === "EPERM";
+  }
+}
+function isRouteOwnershipActive(record, now = Date.now()) {
+  return isProcessAlive(record.pid) || now - record.lastSeenAt <= ROUTE_OWNERSHIP_STALE_AFTER_MS;
+}
+async function claimRouteOwnership(record) {
+  const normalizedRecord = normalizeRouteOwnershipRecord(record);
+  const { lockPath, recordPath } = getRouteOwnershipPaths(normalizedRecord);
+  let claimResult = null;
+  await withFileLock(lockPath, async () => {
+    const existingRecord = await readRouteOwnershipByPath(recordPath);
+    if (existingRecord?.ownerId === normalizedRecord.ownerId) {
+      await writeRouteOwnership(normalizedRecord);
+      claimResult = {
+        status: "claimed",
+        currentRecord: normalizedRecord
+      };
+      return;
+    }
+    const overlappingRecords = (await listRouteOwnershipRecords(normalizedRecord)).filter(
+      (candidate) => {
+        return candidate.ownerId !== normalizedRecord.ownerId && intersectsDomains(candidate.domains, normalizedRecord.domains);
+      }
+    );
+    const activeConflict = overlappingRecords.find((candidate) => {
+      return isRouteOwnershipActive(candidate);
+    });
+    if (activeConflict) {
+      claimResult = {
+        status: "active-conflict",
+        currentRecord: normalizedRecord,
+        existingRecord: activeConflict
+      };
+      return;
+    }
+    await writeRouteOwnership(normalizedRecord);
+    if (overlappingRecords.length > 0) {
+      claimResult = {
+        status: "reclaimed",
+        currentRecord: normalizedRecord,
+        previousRecords: overlappingRecords
+      };
+      return;
+    }
+    claimResult = {
+      status: "claimed",
+      currentRecord: normalizedRecord
+    };
+  });
+  if (!claimResult) {
+    throw new Error("Failed to claim route ownership.");
   }
+  return claimResult;
+}
+async function touchRouteOwnership(reference) {
+  const { lockPath, recordPath } = getRouteOwnershipPaths(reference);
+  let touched = false;
+  await withFileLock(lockPath, async () => {
+    const existingRecord = await readRouteOwnershipByPath(recordPath);
+    if (!existingRecord || existingRecord.ownerId !== reference.ownerId) {
+      return;
+    }
+    await writeRouteOwnership({
+      ...existingRecord,
+      lastSeenAt: Date.now()
+    });
+    touched = true;
+  });
+  return touched;
+}
+async function releaseRouteOwnership(reference) {
+  const { lockPath, recordPath } = getRouteOwnershipPaths(reference);
+  let released = false;
+  await withFileLock(lockPath, async () => {
+    const existingRecord = await readRouteOwnershipByPath(recordPath);
+    if (!existingRecord || existingRecord.ownerId !== reference.ownerId) {
+      return;
+    }
+    await unlink(recordPath).catch((error) => {
+      if (!isNodeError(error) || error.code !== "ENOENT") {
+        throw error;
+      }
+    });
+    released = true;
+  });
+  return released;
 }
-async function isCaddyRunning(apiUrl) {
+function validateCaddyIsInstalled() {
   try {
-    const res = await fetch(`${getApiUrl(apiUrl)}/config/`);
-    return res.ok;
+    execSync("caddy version");
+    return true;
   } catch (e) {
+    console.error("caddy cli is not installed");
     return false;
   }
 }
-async function startCaddy(apiUrl) {
+async function startCaddy(apiUrl, adminOrigin) {
   try {
     execSync("caddy start", { stdio: "ignore" });
   } catch (e) {
   }
   for (let i = 0; i < 10; i++) {
-    if (await isCaddyRunning(apiUrl)) return true;
+    const status = await checkCaddyAdminStatus(apiUrl, adminOrigin);
+    if (status.status === "running") return true;
+    if (status.status === "api-error") {
+      throw status.error;
+    }
     await sleep(500);
   }
   return false;
 }
-async function ensureBaseConfig(serverName = DEFAULT_SERVER_NAME, apiUrl) {
+async function ensureBaseConfig(serverName = DEFAULT_SERVER_NAME, apiUrl, adminOrigin) {
   const resolvedApiUrl = getApiUrl(apiUrl);
   const serverUrl = `${resolvedApiUrl}/config/apps/http/servers/${serverName}`;
-  const res = await fetch(serverUrl);
+  const res = await caddyFetch(serverUrl, void 0, apiUrl, adminOrigin);
   if (res.ok) return;
+  if (res.status === 403) {
+    const text = await res.text();
+    if (isOriginPolicyError(res.status, text)) {
+      throw buildCaddyRequestError(
+        "Failed to initialize Caddy base configuration",
+        res.status,
+        text
+      );
+    }
+  }
   const baseConfig = {
     listen: [":443"],
     routes: []
@@ -103,11 +404,13 @@ async function ensureBaseConfig(serverName = DEFAULT_SERVER_NAME, apiUrl) {
       [serverName]: baseConfig
     }
   };
-  const configRes = await fetch(`${resolvedApiUrl}/config/`);
-  if (!configRes.ok) {
-    const text = await configRes.text();
-    throw new Error(`Failed to read Caddy config: ${text}`);
-  }
+  const configRes = await caddyFetch(
+    `${resolvedApiUrl}/config/`,
+    void 0,
+    apiUrl,
+    adminOrigin
+  );
+  await assertCaddyResponse(configRes, "Failed to read Caddy config");
   const configText = await configRes.text();
   const config = parseConfig(configText);
   if (config === void 0) {
@@ -115,18 +418,27 @@ async function ensureBaseConfig(serverName = DEFAULT_SERVER_NAME, apiUrl) {
   }
   const isEmptyConfig = configText.trim() === "" || config === null || isRecord(config) && Object.keys(config).length === 0;
   if (isEmptyConfig) {
-    const loadRes = await fetch(`${resolvedApiUrl}/load`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({
-        apps: {
-          http: httpAppConfig
-        }
-      })
-    });
+    const loadRes = await caddyFetch(
+      `${resolvedApiUrl}/load`,
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          apps: {
+            http: httpAppConfig
+          }
+        })
+      },
+      apiUrl,
+      adminOrigin
+    );
     if (!loadRes.ok) {
       const text = await loadRes.text();
-      throw new Error(`Failed to initialize Caddy base configuration: ${text}`);
+      throw buildCaddyRequestError(
+        "Failed to initialize Caddy base configuration",
+        loadRes.status,
+        text
+      );
     }
     return;
   }
@@ -137,82 +449,136 @@ async function ensureBaseConfig(serverName = DEFAULT_SERVER_NAME, apiUrl) {
   let hasHttp = isRecord(http);
   let hasServers = isRecord(servers);
   if (!hasApps) {
-    const createAppsRes = await fetch(`${resolvedApiUrl}/config/apps`, {
-      method: "PUT",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({})
-    });
+    const createAppsRes = await caddyFetch(
+      `${resolvedApiUrl}/config/apps`,
+      {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({})
+      },
+      apiUrl,
+      adminOrigin
+    );
     if (!createAppsRes.ok && createAppsRes.status !== 409) {
       const text = await createAppsRes.text();
-      throw new Error(`Failed to initialize Caddy base configuration: ${text}`);
+      throw buildCaddyRequestError(
+        "Failed to initialize Caddy base configuration",
+        createAppsRes.status,
+        text
+      );
     }
     hasApps = true;
   }
   if (!hasHttp) {
-    const createHttpRes = await fetch(`${resolvedApiUrl}/config/apps/http`, {
-      method: "PUT",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ servers: {} })
-    });
+    const createHttpRes = await caddyFetch(
+      `${resolvedApiUrl}/config/apps/http`,
+      {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ servers: {} })
+      },
+      apiUrl,
+      adminOrigin
+    );
     if (!createHttpRes.ok && createHttpRes.status !== 409) {
       const text = await createHttpRes.text();
-      throw new Error(`Failed to initialize Caddy base configuration: ${text}`);
+      throw buildCaddyRequestError(
+        "Failed to initialize Caddy base configuration",
+        createHttpRes.status,
+        text
+      );
     }
     hasHttp = true;
     hasServers = true;
   }
   if (!hasServers) {
-    const createServersRes = await fetch(`${resolvedApiUrl}/config/apps/http/servers`, {
-      method: "PUT",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({})
-    });
+    const createServersRes = await caddyFetch(
+      `${resolvedApiUrl}/config/apps/http/servers`,
+      {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({})
+      },
+      apiUrl,
+      adminOrigin
+    );
     if (!createServersRes.ok && createServersRes.status !== 409) {
       const text = await createServersRes.text();
-      throw new Error(`Failed to initialize Caddy base configuration: ${text}`);
+      throw buildCaddyRequestError(
+        "Failed to initialize Caddy base configuration",
+        createServersRes.status,
+        text
+      );
     }
   }
-  const createServerRes = await fetch(serverUrl, {
-    method: "PUT",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify(baseConfig)
-  });
+  const createServerRes = await caddyFetch(
+    serverUrl,
+    {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(baseConfig)
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (!createServerRes.ok && createServerRes.status !== 409) {
     const text = await createServerRes.text();
-    throw new Error(`Failed to initialize Caddy base configuration: ${text}`);
+    throw buildCaddyRequestError(
+      "Failed to initialize Caddy base configuration",
+      createServerRes.status,
+      text
+    );
   }
 }
-async function ensureTlsAutomation(apiUrl) {
+async function ensureTlsAutomation(apiUrl, adminOrigin) {
   const resolvedApiUrl = getApiUrl(apiUrl);
   const policiesUrl = `${resolvedApiUrl}/config/apps/tls/automation/policies`;
-  const policiesRes = await fetch(policiesUrl);
+  const policiesRes = await caddyFetch(policiesUrl, void 0, apiUrl, adminOrigin);
   if (policiesRes.ok) return;
   const policiesText = await policiesRes.text();
   if (policiesRes.status !== 404 && !policiesText.includes("invalid traversal path")) {
-    throw new Error(
-      `Failed to initialize Caddy TLS automation: ${policiesText}`
+    throw buildCaddyRequestError(
+      "Failed to initialize Caddy TLS automation",
+      policiesRes.status,
+      policiesText
     );
   }
-  const automationRes = await fetch(`${resolvedApiUrl}/config/apps/tls/automation`, {
-    method: "PUT",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ policies: [] })
-  });
+  const automationRes = await caddyFetch(
+    `${resolvedApiUrl}/config/apps/tls/automation`,
+    {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ policies: [] })
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (automationRes.ok || automationRes.status === 409) return;
   const automationText = await automationRes.text();
   if (!automationText.includes("invalid traversal path")) {
-    throw new Error(
-      `Failed to initialize Caddy TLS automation: ${automationText}`
+    throw buildCaddyRequestError(
+      "Failed to initialize Caddy TLS automation",
+      automationRes.status,
+      automationText
     );
   }
-  const tlsRes = await fetch(`${resolvedApiUrl}/config/apps/tls`, {
-    method: "PUT",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ automation: { policies: [] } })
-  });
+  const tlsRes = await caddyFetch(
+    `${resolvedApiUrl}/config/apps/tls`,
+    {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ automation: { policies: [] } })
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (!tlsRes.ok && tlsRes.status !== 409) {
     const text = await tlsRes.text();
-    throw new Error(`Failed to initialize Caddy TLS automation: ${text}`);
+    throw buildCaddyRequestError(
+      "Failed to initialize Caddy TLS automation",
+      tlsRes.status,
+      text
+    );
   }
 }
 function formatDialAddress(host, port) {
@@ -236,32 +602,70 @@ function extractMatchedHosts(route) {
   }
   return hosts;
 }
+function extractMatchedSubjects(policy) {
+  if (!isRecord(policy) || !Array.isArray(policy.subjects)) return [];
+  const subjects = [];
+  for (const subject of policy.subjects) {
+    if (typeof subject === "string") {
+      subjects.push(subject);
+    }
+  }
+  return subjects;
+}
 function intersectsDomains(targetDomains, routeDomains) {
   if (targetDomains.length === 0 || routeDomains.length === 0) return false;
   const targetSet = new Set(targetDomains);
   return routeDomains.some((domain) => targetSet.has(domain));
 }
-async function cleanupStaleRoutesForDomains(domains, currentRouteId, serverName = DEFAULT_SERVER_NAME, apiUrl) {
-  if (domains.length === 0) return;
-  const res = await fetch(
-    `${getApiUrl(apiUrl)}/config/apps/http/servers/${serverName}/routes`
+async function findManagedRoutesForDomains(domains, serverName = DEFAULT_SERVER_NAME, apiUrl, adminOrigin) {
+  if (domains.length === 0) return [];
+  const res = await caddyFetch(
+    `${getApiUrl(apiUrl)}/config/apps/http/servers/${serverName}/routes`,
+    void 0,
+    apiUrl,
+    adminOrigin
   );
-  if (!res.ok) return;
+  if (!res.ok) return [];
   const text = await res.text();
   const parsed = parseConfig(text);
-  if (!Array.isArray(parsed)) return;
+  if (!Array.isArray(parsed)) return [];
+  const routeIds = [];
   for (const route of parsed) {
     if (!isRecord(route)) continue;
     const id = route["@id"];
     if (typeof id !== "string") continue;
-    if (!id.startsWith("vite-proxy-")) continue;
-    if (id === currentRouteId) continue;
+    if (!id.startsWith(ROUTE_ID_PREFIX)) continue;
     const routeDomains = extractMatchedHosts(route);
     if (!intersectsDomains(domains, routeDomains)) continue;
-    await removeRoute(id, apiUrl);
+    routeIds.push(id);
   }
+  return routeIds;
 }
-async function addRoute(id, domains, port, cors, serverName = DEFAULT_SERVER_NAME, upstreamHost = "127.0.0.1", upstreamHostHeader, apiUrl) {
+async function findManagedTlsPoliciesForDomains(domains, apiUrl, adminOrigin) {
+  if (domains.length === 0) return [];
+  const res = await caddyFetch(
+    `${getApiUrl(apiUrl)}/config/apps/tls/automation/policies`,
+    void 0,
+    apiUrl,
+    adminOrigin
+  );
+  if (!res.ok) return [];
+  const text = await res.text();
+  const parsed = parseConfig(text);
+  if (!Array.isArray(parsed)) return [];
+  const policyIds = [];
+  for (const policy of parsed) {
+    if (!isRecord(policy)) continue;
+    const id = policy["@id"];
+    if (typeof id !== "string") continue;
+    if (!id.startsWith(ROUTE_ID_PREFIX)) continue;
+    const policyDomains = extractMatchedSubjects(policy);
+    if (!intersectsDomains(domains, policyDomains)) continue;
+    policyIds.push(id);
+  }
+  return policyIds;
+}
+async function addRoute(id, domains, port, cors, serverName = DEFAULT_SERVER_NAME, upstreamHost = "127.0.0.1", upstreamHostHeader, apiUrl, adminOrigin) {
   const handlers = [];
   if (cors) {
     handlers.push({
@@ -311,22 +715,24 @@ async function addRoute(id, domains, port, cors, serverName = DEFAULT_SERVER_NAM
     ],
     terminal: true
   };
-  const res = await fetch(
+  const res = await caddyFetch(
     `${getApiUrl(apiUrl)}/config/apps/http/servers/${serverName}/routes`,
     {
       method: "POST",
       // Append to routes list
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify(route)
-    }
+    },
+    apiUrl,
+    adminOrigin
   );
   if (!res.ok) {
     const text = await res.text();
-    throw new Error(`Failed to add route: ${text}`);
+    throw buildCaddyRequestError("Failed to add route", res.status, text);
   }
 }
-async function addTlsPolicy(id, domains, apiUrl) {
-  await ensureTlsAutomation(apiUrl);
+async function addTlsPolicy(id, domains, apiUrl, adminOrigin) {
+  await ensureTlsAutomation(apiUrl, adminOrigin);
   const policy = {
     "@id": id,
     subjects: domains,
@@ -336,49 +742,76 @@ async function addTlsPolicy(id, domains, apiUrl) {
       }
     ]
   };
-  const res = await fetch(`${getApiUrl(apiUrl)}/config/apps/tls/automation/policies`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify(policy)
-  });
+  const res = await caddyFetch(
+    `${getApiUrl(apiUrl)}/config/apps/tls/automation/policies`,
+    {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(policy)
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (!res.ok) {
     const text = await res.text();
     if (isTlsPolicyOverlapError(text)) {
       return;
     }
-    throw new Error(`Failed to add TLS policy: ${text}`);
+    throw buildCaddyRequestError("Failed to add TLS policy", res.status, text);
   }
 }
-async function removeRoute(id, apiUrl) {
-  const res = await fetch(`${getApiUrl(apiUrl)}/id/${id}`, {
-    method: "DELETE"
-  });
+async function removeRoute(id, apiUrl, adminOrigin) {
+  const res = await caddyFetch(
+    `${getApiUrl(apiUrl)}/id/${id}`,
+    {
+      method: "DELETE"
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (!res.ok && res.status !== 404) {
-    console.error(`Failed to remove route ${id}`);
+    const text = await res.text();
+    const error = buildCaddyRequestError(`Failed to remove route ${id}`, res.status, text);
+    console.error(error.message);
     return false;
   }
   return true;
 }
-async function removeTlsPolicy(id, apiUrl) {
-  const res = await fetch(`${getApiUrl(apiUrl)}/id/${id}`, {
-    method: "DELETE"
-  });
+async function removeTlsPolicy(id, apiUrl, adminOrigin) {
+  const res = await caddyFetch(
+    `${getApiUrl(apiUrl)}/id/${id}`,
+    {
+      method: "DELETE"
+    },
+    apiUrl,
+    adminOrigin
+  );
   if (!res.ok && res.status !== 404) {
-    console.error(`Failed to remove TLS policy ${id}`);
+    const text = await res.text();
+    const error = buildCaddyRequestError(
+      `Failed to remove TLS policy ${id}`,
+      res.status,
+      text
+    );
+    console.error(error.message);
     return false;
   }
   return true;
 }
-async function ensureCaddyReady(serverName = DEFAULT_SERVER_NAME, apiUrl) {
+async function ensureCaddyReady(serverName = DEFAULT_SERVER_NAME, apiUrl, adminOrigin) {
   await withApiLock(apiUrl, async () => {
-    let running = await isCaddyRunning(apiUrl);
-    if (!running) {
-      running = await startCaddy(apiUrl);
+    const status = await checkCaddyAdminStatus(apiUrl, adminOrigin);
+    if (status.status === "api-error") {
+      throw status.error;
+    }
+    let running = status.status === "running";
+    if (status.status === "connectivity-error") {
+      running = await startCaddy(apiUrl, adminOrigin);
     }
     if (!running) {
       throw new Error("Failed to start Caddy server.");
     }
-    await ensureBaseConfig(serverName, apiUrl);
+    await ensureBaseConfig(serverName, apiUrl, adminOrigin);
   });
 }
 
@@ -474,6 +907,15 @@ function normalizeCaddyApiUrl(url) {
   if (!trimmed) return null;
   return trimmed.replace(/\/+$/g, "");
 }
+function normalizeCaddyAdminOrigin(origin) {
+  const trimmed = origin.trim();
+  if (!trimmed) return null;
+  try {
+    return new URL(trimmed).origin;
+  } catch (e) {
+    return null;
+  }
+}
 function resolveDomains(options) {
   if (options.domain) {
     return normalizeDomains(options.domain);
@@ -492,23 +934,100 @@ function viteCaddyTlsPlugin({
   cors,
   serverName,
   caddyApiUrl,
+  caddyAdminOrigin,
   internalTls,
   upstreamHostHeader
 } = {}) {
   const normalizedApiUrl = caddyApiUrl ? normalizeCaddyApiUrl(caddyApiUrl) : null;
   const pluginCaddyApiUrl = normalizedApiUrl ?? DEFAULT_CADDY_API_URL;
+  const normalizedAdminOrigin = caddyAdminOrigin ? normalizeCaddyAdminOrigin(caddyAdminOrigin) : null;
+  const pluginCaddyAdminOrigin = normalizedAdminOrigin ?? pluginCaddyApiUrl;
   if (caddyApiUrl !== void 0 && !normalizedApiUrl) {
     console.warn(
       `caddyApiUrl is empty after trimming. Falling back to ${DEFAULT_CADDY_API_URL}.`
     );
   }
-  function getInstanceKey(domains, configRoot) {
-    const keyMaterial = JSON.stringify({
-      domains: [...domains].sort(),
+  if (caddyAdminOrigin !== void 0 && !normalizedAdminOrigin) {
+    console.warn(
+      `caddyAdminOrigin is invalid. Falling back to ${pluginCaddyApiUrl}.`
+    );
+  }
+  function createOwnerId() {
+    return `${process.pid}-${Date.now().toString(36)}-${randomUUID().slice(0, 8)}`;
+  }
+  function createRouteOwnershipRecord(ownerId, domains, configRoot) {
+    const routeId = `vite-proxy-${ownerId}`;
+    const shouldUseInternalTls = internalTls ?? (baseDomain !== void 0 || loopbackDomain !== void 0 || domain !== void 0);
+    const now = Date.now();
+    return {
+      version: 1,
+      ownerId,
+      pid: process.pid,
       cwd: process.cwd(),
-      root: configRoot ?? null
-    });
-    return createHash2("sha1").update(keyMaterial).digest("hex").slice(0, 12);
+      configRoot: configRoot ?? null,
+      domains: [...domains],
+      routeId,
+      tlsPolicyId: shouldUseInternalTls ? `${routeId}-tls` : null,
+      serverName: serverName ?? "srv0",
+      caddyApiUrl: pluginCaddyApiUrl,
+      startedAt: now,
+      lastSeenAt: now
+    };
+  }
+  function buildOwnershipConflictMessage(domains, existingRecord) {
+    const ownerLocation = existingRecord.configRoot ?? existingRecord.cwd;
+    const domainLabel = domains.join(", ");
+    return [
+      `Cannot claim ${domainLabel}: another Vite server already owns ${domains.length > 1 ? "these domains" : "this domain"}.`,
+      `Existing owner pid ${existingRecord.pid} from ${ownerLocation}.`,
+      "Stop the other server first, or use `instanceLabel` or `domain` to make the hostname unique."
+    ].join(" ");
+  }
+  async function releaseOwnershipRecord(record) {
+    if (!record) return;
+    await releaseRouteOwnership(record);
+  }
+  async function releaseOwnershipRecords(records) {
+    await Promise.all(records.map((record) => releaseOwnershipRecord(record)));
+  }
+  async function cleanupClaimedResources(record, removeWithRetry) {
+    let cleaned = true;
+    if (record.tlsPolicyId) {
+      const tlsPolicyId = record.tlsPolicyId;
+      cleaned = await removeWithRetry(
+        () => removeTlsPolicy(
+          tlsPolicyId,
+          pluginCaddyApiUrl,
+          pluginCaddyAdminOrigin
+        ),
+        "TLS policy"
+      ) && cleaned;
+    }
+    cleaned = await removeWithRetry(
+      () => removeRoute(record.routeId, pluginCaddyApiUrl, pluginCaddyAdminOrigin),
+      "route"
+    ) && cleaned;
+    return cleaned;
+  }
+  async function cleanupManagedResources(routeIds, tlsPolicyIds, removeWithRetry) {
+    let cleaned = true;
+    for (const managedTlsPolicyId of tlsPolicyIds) {
+      cleaned = await removeWithRetry(
+        () => removeTlsPolicy(
+          managedTlsPolicyId,
+          pluginCaddyApiUrl,
+          pluginCaddyAdminOrigin
+        ),
+        `managed TLS policy ${managedTlsPolicyId}`
+      ) && cleaned;
+    }
+    for (const managedRouteId of routeIds) {
+      cleaned = await removeWithRetry(
+        () => removeRoute(managedRouteId, pluginCaddyApiUrl, pluginCaddyAdminOrigin),
+        `managed route ${managedRouteId}`
+      ) && cleaned;
+    }
+    return cleaned;
   }
   function isPreviewServer(server) {
     return server.config.isProduction;
@@ -541,13 +1060,16 @@ function viteCaddyTlsPlugin({
       instanceLabel
     });
     const domainArray = resolvedDomains ?? [];
-    const routeId = `vite-proxy-${getInstanceKey(domainArray, config.root)}`;
-    const shouldUseInternalTls = internalTls ?? (baseDomain !== void 0 || loopbackDomain !== void 0 || domain !== void 0);
-    const tlsPolicyId = shouldUseInternalTls ? `${routeId}-tls` : null;
+    const ownerId = createOwnerId();
+    const ownershipRecord = createRouteOwnershipRecord(ownerId, domainArray, config.root);
+    const routeId = ownershipRecord.routeId;
+    const tlsPolicyId = ownershipRecord.tlsPolicyId;
     let cleanupStarted = false;
     let resolvedPort = null;
     let resolvedHost = null;
     let setupStarted = false;
+    let activeOwnershipRecord = null;
+    let ownershipHeartbeat = null;
     function buildDomainResolutionMessage() {
       const issues = [];
       if (domain !== void 0 && !normalizeDomains(domain)) {
@@ -653,13 +1175,16 @@ function viteCaddyTlsPlugin({
     async function cleanupRoute() {
       if (cleanupStarted) return;
       cleanupStarted = true;
-      if (tlsPolicyId) {
-        await removeWithRetry(
-          () => removeTlsPolicy(tlsPolicyId, pluginCaddyApiUrl),
-          "TLS policy"
-        );
+      if (ownershipHeartbeat) {
+        clearInterval(ownershipHeartbeat);
+        ownershipHeartbeat = null;
+      }
+      if (!activeOwnershipRecord) return;
+      const cleaned = await cleanupClaimedResources(activeOwnershipRecord, removeWithRetry);
+      if (cleaned) {
+        await releaseOwnershipRecord(activeOwnershipRecord);
+        activeOwnershipRecord = null;
       }
-      await removeWithRetry(() => removeRoute(routeId, pluginCaddyApiUrl), "route");
     }
     function onServerClose() {
       void cleanupRoute();
@@ -699,12 +1224,31 @@ function viteCaddyTlsPlugin({
       console.error(`Failed to remove ${label} after ${maxAttempts} attempts.`);
       return false;
     }
+    function startOwnershipHeartbeat(record) {
+      ownershipHeartbeat = setInterval(() => {
+        void touchRouteOwnership(record).then((touched) => {
+          if (touched || !ownershipHeartbeat) {
+            return;
+          }
+          console.error(
+            `Lost route ownership for ${domainArray.join(", ")}. Cleaning up managed Caddy resources.`
+          );
+          void cleanupRoute();
+        }).catch((error) => {
+          console.error(
+            `Failed to refresh route ownership for ${domainArray.join(", ")}.`,
+            error
+          );
+        });
+      }, ROUTE_OWNERSHIP_HEARTBEAT_INTERVAL_MS);
+      ownershipHeartbeat.unref?.();
+    }
     async function setupRoute() {
       if (!validateCaddyIsInstalled()) {
         return;
       }
       try {
-        await ensureCaddyReady(serverName, pluginCaddyApiUrl);
+        await ensureCaddyReady(serverName, pluginCaddyApiUrl, pluginCaddyAdminOrigin);
       } catch (e) {
         console.error(
           `Failed to configure Caddy base settings. Is the Caddy Admin API reachable at ${pluginCaddyApiUrl}?`,
@@ -714,23 +1258,85 @@ function viteCaddyTlsPlugin({
       }
       const port = getServerPort();
       const upstreamHost = getUpstreamHost();
-      await cleanupStaleRoutesForDomains(
+      let claimResult;
+      try {
+        claimResult = await claimRouteOwnership(ownershipRecord);
+      } catch (e) {
+        console.error("Failed to claim route ownership for the resolved domains.", e);
+        return;
+      }
+      if (claimResult.status === "active-conflict") {
+        console.error(
+          buildOwnershipConflictMessage(domainArray, claimResult.existingRecord)
+        );
+        return;
+      }
+      activeOwnershipRecord = claimResult.currentRecord;
+      if (claimResult.status === "reclaimed") {
+        let reclaimed = true;
+        for (const previousRecord of claimResult.previousRecords) {
+          reclaimed = await cleanupClaimedResources(previousRecord, removeWithRetry) && reclaimed;
+        }
+        if (!reclaimed) {
+          console.error(
+            `Failed to reclaim stale ownership for ${domainArray.join(", ")}. Try stopping the other server or removing stale Caddy state manually.`
+          );
+          await releaseOwnershipRecord(activeOwnershipRecord);
+          activeOwnershipRecord = null;
+          return;
+        }
+        await releaseOwnershipRecords(claimResult.previousRecords);
+      }
+      const conflictingRouteIds = (await findManagedRoutesForDomains(
         domainArray,
-        routeId,
         serverName,
-        pluginCaddyApiUrl
-      );
-      await removeRoute(routeId, pluginCaddyApiUrl);
+        pluginCaddyApiUrl,
+        pluginCaddyAdminOrigin
+      )).filter((existingRouteId) => {
+        return existingRouteId !== routeId;
+      });
+      const conflictingTlsPolicyIds = (await findManagedTlsPoliciesForDomains(
+        domainArray,
+        pluginCaddyApiUrl,
+        pluginCaddyAdminOrigin
+      )).filter((existingTlsPolicyId) => {
+        return existingTlsPolicyId !== tlsPolicyId;
+      });
+      if (conflictingRouteIds.length > 0 || conflictingTlsPolicyIds.length > 0) {
+        const reclaimedOrphans = await cleanupManagedResources(
+          conflictingRouteIds,
+          conflictingTlsPolicyIds,
+          removeWithRetry
+        );
+        if (reclaimedOrphans) {
+          console.warn(
+            `Reclaimed orphaned managed Caddy resources for ${domainArray.join(", ")}.`
+          );
+        } else {
+          console.error(
+            `Cannot claim ${domainArray.join(", ")} because Caddy still has orphaned managed resources. Remove the stale Caddy state or use \`instanceLabel\` or \`domain\` to make the hostname unique.`
+          );
+          await releaseOwnershipRecord(activeOwnershipRecord);
+          activeOwnershipRecord = null;
+          return;
+        }
+      }
       if (tlsPolicyId) {
-        await removeTlsPolicy(tlsPolicyId, pluginCaddyApiUrl);
         try {
-          await addTlsPolicy(tlsPolicyId, domainArray, pluginCaddyApiUrl);
+          await addTlsPolicy(
+            tlsPolicyId,
+            domainArray,
+            pluginCaddyApiUrl,
+            pluginCaddyAdminOrigin
+          );
           tlsPolicyAdded = true;
         } catch (e) {
           console.error(
             `Failed to add TLS policy to Caddy. Is the Caddy Admin API reachable at ${pluginCaddyApiUrl}?`,
             e
           );
+          await releaseOwnershipRecord(activeOwnershipRecord);
+          activeOwnershipRecord = null;
           return;
         }
       }
@@ -743,18 +1349,24 @@ function viteCaddyTlsPlugin({
           serverName,
           upstreamHost,
           upstreamHostHeader,
-          pluginCaddyApiUrl
+          pluginCaddyApiUrl,
+          pluginCaddyAdminOrigin
         );
       } catch (e) {
         if (tlsPolicyAdded && tlsPolicyId) {
-          await removeTlsPolicy(tlsPolicyId, pluginCaddyApiUrl);
+          await removeTlsPolicy(tlsPolicyId, pluginCaddyApiUrl, pluginCaddyAdminOrigin);
         }
+        await releaseOwnershipRecord(activeOwnershipRecord);
+        activeOwnershipRecord = null;
         console.error(
           `Failed to add route to Caddy. Is the Caddy Admin API reachable at ${pluginCaddyApiUrl}?`,
           e
         );
         return;
       }
+      if (activeOwnershipRecord) {
+        startOwnershipHeartbeat(activeOwnershipRecord);
+      }
       console.log("\n\u{1F512} Caddy is proxying your traffic on https");
       console.log(`
 \u27A1\uFE0F Upstream target: http://${formatUpstreamTarget(upstreamHost, port)}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vite-plugin-caddy-multiple-tls",
-  "version": "1.6.0",
+  "version": "1.7.0",
   "description": "Vite plugin that uses Caddy to provide local HTTPS with derived domains.",
   "keywords": [
     "vite",
@@ -47,14 +47,14 @@
   },
   "homepage": "https://github.com/vampaz/vite-plugin-caddy-multiple-tls/#readme",
   "peerDependencies": {
-    "vite": "^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0"
+    "vite": "^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0"
   },
   "devDependencies": {
     "@types/fs-extra": "^11.0.4",
     "@types/node": "^25.0.3",
     "fs-extra": "^11.3.3",
     "tsup": "^8.5.1",
-    "vite": "^7.3.0",
+    "vite": "^8.0.0",
     "vitest": "^4.0.16"
   }
 }