Skip to content

feat(settings): add wildcard domain restriction#108

Merged
AminDhouib merged 4 commits into
canaryfrom
port/upr-4259
Jul 16, 2026
Merged

feat(settings): add wildcard domain restriction#108
AminDhouib merged 4 commits into
canaryfrom
port/upr-4259

Conversation

@AminDhouib

Copy link
Copy Markdown
Member

Summary

Adds an optional server-level domain restriction. When enabled, admins define allowed wildcard patterns and new application/compose domains must match one of them.

  • Schema (packages/server/src/db/schema/web-server-settings.ts): new domainRestrictionConfig jsonb column ({ enabled, allowedWildcards }, default disabled) + domainRestrictionConfigSchema validation (patterns must start with *. or **.).
  • Matching (packages/server/src/utils/wildcard-restriction.ts, new): matchesWildcardPattern supports single-level (*.example.com) and multi-level (**.example.com) wildcards plus exact match; validateDomainRestriction reads the config and validates a host.
  • Enforcement (services/domain.ts) on domain create/update.
  • Router (settings.ts): updateDomainRestriction admin mutation + config getter.
  • UI: settings toggle + pattern editor (domain-restriction.tsx), and a subdomain + base-domain picker in the domain form when restriction is enabled (handle-domain.tsx).

Ports Dokploy#4259 by @TuroYT

Adaptations

  • Completed the upstream PR: its settings.ts imports and uses apiUpdateDomainRestriction, but the PR never defines it. Added export const apiUpdateDomainRestriction = z.object({ domainRestrictionConfig: domainRestrictionConfigSchema }) (matches the { domainRestrictionConfig } shape the UI sends).
  • Fixed dead code: matchesWildcardPattern had an empty exact-match branch followed by unreachable duplicate **. / exact-match else-ifs (biome noDuplicateElseIf); collapsed to a single correct exact-match branch.
  • Preserved the fork's sslip.io generated-domain branding (upstream is based on traefik.me); kept the fork's <TabsList variant="line"> and schema columns (remoteServersOnly, buildsConcurrency, enforceSSO) alongside the new one.

Merge-order note

Carries drizzle migration 0179. Merge after fork #11/#12 (which hold 0175/0176) and after the sibling PR holding slot 0178 (Dokploy#4141, ECR). Sibling migration PRs conflict only trivially in apps/dokploy/drizzle/meta/_journal.json — keep both entries, idx-ordered.

Verification

  • pnpm --filter=dokploy run typecheck passes.
  • vitest run __test__/traefik/server/update-server-config.test.ts: 5 passed.
  • biome check clean on all changed files.

Ports Dokploy#4259 by @TuroYT. Adds an optional server-level domain
restriction: admins define allowed wildcard patterns (*.example.com or
**.example.com) in web-server settings, and new application/compose domains
are validated against them. Adds the domainRestrictionConfig jsonb column
(drizzle migration 0179), a subdomain + base-domain picker in the domain
form when restriction is enabled, and the settings UI.

Completes the upstream PR, which referenced apiUpdateDomainRestriction from
the settings router without defining it; added it as a thin wrapper around
domainRestrictionConfigSchema. Also removed dead/unreachable duplicate
else-if branches in matchesWildcardPattern. The fork's sslip.io generated
domains are preserved (upstream is based on traefik.me).

Co-authored-by: Romain PINSOLLE <romain.pins@gmail.com>
# Conflicts:
#	apps/dokploy/components/dashboard/application/domains/handle-domain.tsx
#	apps/dokploy/drizzle/meta/_journal.json
#	packages/server/src/index.ts
@AminDhouib
AminDhouib merged commit 7897023 into canary Jul 16, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant