changed port 3001 to 3000

The dashboard overview counted all proxy hosts without a cert as ACME
certs, ignoring wildcard deduplication. The certificates page only
deduplicated the current page of results (25 rows) but used a full
count(*) for the total, so hosts on other pages covered by wildcards
were never subtracted.

Now both pages fetch all ACME hosts, apply full deduplication (cert
wildcard coverage + ACME wildcard collapsing), then paginate/count
from the deduplicated result.

Also fixes a strict-mode violation in the E2E test where DataTable's
dual mobile/desktop rendering caused getByText to match two elements.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/dependabot-automerge.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
       - name: Fetch Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v2
+        uses: dependabot/fetch-metadata@v3
 
       - name: Auto-approve the PR
         run: gh pr review --approve "$PR_URL"

README.md

@@ -38,7 +38,7 @@ Data persists in Docker volumes (caddy-manager-data, caddy-data, caddy-config, c
 - **L4 Proxy Hosts** - TCP/UDP stream proxying with TLS SNI matching, proxy protocol (v1/v2), load balancing, health checks, and per-host geo blocking. Automatic Docker Compose port management via sidecar
 - **Location Rules** - Path-based routing to different upstreams per proxy host (e.g. `/api/*` to one backend, `/ws/*` to another)
 - **Redirect & Rewrite** - Per-host redirect rules (301/302/307/308) and path prefix rewriting
-- **Forward Auth Portal** - Built-in identity provider for protecting proxy hosts without an external IdP. Credential and OAuth login portal, user groups with membership management, and per-host access control by user or group
+- **Forward Auth Portal** - Built-in identity provider for protecting proxy hosts without an external IdP. Credential and OAuth login portal, user groups with membership management, per-host access control by user or group, and excluded paths that bypass authentication
 - **WAF** - Web Application Firewall powered by Coraza with optional OWASP Core Rule Set (SQLi, XSS, LFI, RCE). Per-host enable/disable, global and per-host rule suppression, custom SecLang directives, and a searchable event log with severity and blocked/detected classification
 - **Analytics** - Live traffic charts, protocol breakdown, country map, top user agents, and blocked request log with configurable time ranges
 - **Geo Blocking** - Block or allow traffic by country, continent, ASN, CIDR range, or exact IP per proxy host. Allow rules override block rules. Fail-closed mode, custom response codes/bodies, and trusted proxy support
@@ -55,7 +55,8 @@ Data persists in Docker volumes (caddy-manager-data, caddy-data, caddy-config, c
 - **API Tokens** - Create and manage API tokens with optional expiration for programmatic access
 - **Instance Sync** - Master/slave configuration sync for multi-instance deployments. The master pushes proxy hosts, certificates, access lists, and settings to slaves on every change
 - **OAuth / SSO** - OAuth2/OIDC authentication with any compliant provider (Authentik, Keycloak, Auth0, etc.). Account linking from the Profile page
-- **Settings** - ACME email, Cloudflare DNS-01, upstream DNS pinning defaults, Authentik outpost, Prometheus metrics, logging format
+- **DNS Providers** - Multi-provider DNS-01 challenge support for ACME certificates: Cloudflare, Route 53, DigitalOcean, Duck DNS, Hetzner, Vultr, Porkbun, GoDaddy, Namecheap, OVH, IONOS, and Linode. Credentials encrypted at rest. Per-certificate provider override supported
+- **Settings** - ACME email, DNS provider configuration, upstream DNS pinning defaults, Authentik outpost, Prometheus metrics, logging format
 - **Audit Log** - Searchable configuration change history with user attribution and pagination
 - **Search & Pagination** - Server-side search and pagination on all data tables
 - **Dark Mode** - Full dark/light theme support with system preference detection
@@ -158,7 +159,7 @@ New users default to the **user** role. The initial admin account is created fro
 
 Caddy automatically obtains Let's Encrypt certificates for all proxy hosts.
 
-**Cloudflare DNS-01** (optional): Configure in Settings with a Cloudflare API token (`Zone.DNS:Edit` permissions).
+**DNS-01 Challenge** (optional): Configure a DNS provider in **Settings → DNS Providers** for wildcard certificates and environments where ports 80/443 are not public. Supported providers: Cloudflare, Route 53, DigitalOcean, Duck DNS, Hetzner, Vultr, Porkbun, GoDaddy, Namecheap, OVH, IONOS, and Linode. Credentials are encrypted at rest with AES-256-GCM. You can override the DNS provider per certificate.
 
 **Custom Certificates** (optional): Import your own certificates via the Certificates page. Private keys are stored unencrypted in SQLite.
 
@@ -325,8 +326,6 @@ Each forward-auth-protected host has its own access list of allowed users and/or
 
 ## Roadmap
 
-- [ ] Additional DNS providers (Route53, Namecheap, etc.)
-
 [Open an issue](https://github.com/fuomag9/caddy-proxy-manager/issues) for feature requests.
 
 ---

app/(dashboard)/certificates/page.tsx

@@ -7,6 +7,7 @@ import CertificatesClient from './CertificatesClient';
 import { listCaCertificates, type CaCertificate } from '@/src/lib/models/ca-certificates';
 import { listIssuedClientCertificates, type IssuedClientCertificate } from '@/src/lib/models/issued-client-certificates';
 import { listMtlsRoles, type MtlsRole } from '@/src/lib/models/mtls-roles';
+import { isDomainCoveredByCert } from '@/src/lib/cert-domain-match';
 
 export type { CaCertificate };
 export type { IssuedClientCertificate };
@@ -78,6 +79,7 @@ function getExpiryStatus(validToIso: string): CertExpiryStatus {
   return 'ok';
 }
 
+
 export default async function CertificatesPage({ searchParams }: PageProps) {
   await requireAdmin();
   const { page: pageParam } = await searchParams;
@@ -89,7 +91,7 @@ export default async function CertificatesPage({ searchParams }: PageProps) {
   ]);
   const mtlsRoles = await listMtlsRoles().catch(() => []);
 
-  const [acmeRows, acmeTotal, certRows, usageRows] = await Promise.all([
+  const [allAcmeRows, certRows, usageRows] = await Promise.all([
     db
       .select({
         id: proxyHosts.id,
@@ -100,14 +102,7 @@ export default async function CertificatesPage({ searchParams }: PageProps) {
       })
       .from(proxyHosts)
       .where(isNull(proxyHosts.certificateId))
-      .orderBy(proxyHosts.name)
+      .orderBy(proxyHosts.name),
-      .limit(PER_PAGE)
-      .offset(offset),
-    db
-      .select({ value: count() })
-      .from(proxyHosts)
-      .where(isNull(proxyHosts.certificateId))
-      .then(([r]) => r?.value ?? 0),
     db.select().from(certificates),
     db
       .select({
@@ -120,7 +115,7 @@ export default async function CertificatesPage({ searchParams }: PageProps) {
       .where(isNotNull(proxyHosts.certificateId)),
   ]);
 
-  const acmeHosts: AcmeHost[] = acmeRows.map(r => ({
+  const allAcmeHosts: AcmeHost[] = allAcmeRows.map(r => ({
     id: r.id,
     name: r.name,
     domains: JSON.parse(r.domains) as string[],
@@ -140,6 +135,66 @@ export default async function CertificatesPage({ searchParams }: PageProps) {
     usageMap.set(u.certId, hosts);
   }
 
+  // Build a map of cert ID -> its domain list (including wildcard entries)
+  const certDomainMap = new Map<number, string[]>();
+  for (const cert of certRows) {
+    const domainNames = JSON.parse(cert.domainNames) as string[];
+    // For imported certs, also check PEM SANs which may include wildcards
+    if (cert.type === 'imported' && cert.certificatePem) {
+      const pemInfo = parsePemInfo(cert.certificatePem);
+      if (pemInfo?.sanDomains.length) {
+        certDomainMap.set(cert.id, pemInfo.sanDomains);
+        continue;
+      }
+    }
+    certDomainMap.set(cert.id, domainNames);
+  }
+
+  // Filter out ACME hosts whose domains are fully covered by an existing certificate's wildcard,
+  // and attribute them to that certificate's usedBy list instead.
+  const filteredAcmeHosts: AcmeHost[] = [];
+  for (const host of allAcmeHosts) {
+    let coveredByCertId: number | null = null;
+    for (const [certId, certDomains] of certDomainMap) {
+      if (host.domains.every(d => isDomainCoveredByCert(d, certDomains))) {
+        coveredByCertId = certId;
+        break;
+      }
+    }
+    if (coveredByCertId !== null) {
+      // Move this host to the cert's usedBy list
+      const hosts = usageMap.get(coveredByCertId) ?? [];
+      hosts.push({ id: host.id, name: host.name, domains: host.domains });
+      usageMap.set(coveredByCertId, hosts);
+    } else {
+      filteredAcmeHosts.push(host);
+    }
+  }
+
+  // Among ACME auto-managed hosts, collapse subdomain hosts under wildcard hosts.
+  // e.g. if *.domain.de is an ACME host, sub.domain.de should not appear separately.
+  const wildcardAcmeHosts = filteredAcmeHosts.filter(h => h.domains.some(d => d.startsWith('*.')));
+  const wildcardDomainSets = wildcardAcmeHosts.map(h => h.domains);
+  const deduplicatedAcmeHosts: AcmeHost[] = [];
+  for (const host of filteredAcmeHosts) {
+    // Never collapse a host that itself has a wildcard domain
+    if (host.domains.some(d => d.startsWith('*.'))) {
+      deduplicatedAcmeHosts.push(host);
+      continue;
+    }
+    // Check if all of this host's domains are covered by any wildcard ACME host
+    const coveredByWildcard = wildcardDomainSets.some(wcDomains =>
+      host.domains.every(d => isDomainCoveredByCert(d, wcDomains))
+    );
+    if (!coveredByWildcard) {
+      deduplicatedAcmeHosts.push(host);
+    }
+  }
+
+  // Paginate the deduplicated ACME hosts
+  const adjustedAcmeTotal = deduplicatedAcmeHosts.length;
+  const paginatedAcmeHosts = deduplicatedAcmeHosts.slice(offset, offset + PER_PAGE);
+
   const importedCerts: ImportedCertView[] = [];
   const managedCerts: ManagedCertView[] = [];
   const issuedByCa = issuedClientCerts.reduce<Map<number, IssuedClientCertificate[]>>((map, cert) => {
@@ -174,11 +229,11 @@ export default async function CertificatesPage({ searchParams }: PageProps) {
 
   return (
     <CertificatesClient
-      acmeHosts={acmeHosts}
+      acmeHosts={paginatedAcmeHosts}
       importedCerts={importedCerts}
       managedCerts={managedCerts}
       caCertificates={caCertificateViews}
-      acmePagination={{ total: acmeTotal, page, perPage: PER_PAGE }}
+      acmePagination={{ total: adjustedAcmeTotal, page, perPage: PER_PAGE }}
       mtlsRoles={mtlsRoles}
       issuedClientCerts={issuedClientCerts}
     />

app/(dashboard)/page.tsx

@@ -11,6 +11,7 @@ import { count, desc, isNull, sql } from "drizzle-orm";
 import { ArrowLeftRight, ShieldCheck, KeyRound } from "lucide-react";
 import { ReactNode } from "react";
 import { getAnalyticsSummary } from "@/src/lib/analytics-db";
+import { isDomainCoveredByCert } from "@/src/lib/cert-domain-match";
 
 type StatCard = {
   label: string;
@@ -20,19 +21,51 @@ type StatCard = {
 };
 
 async function loadStats(): Promise<StatCard[]> {
-  const [proxyHostCountResult, acmeCertCountResult, importedCertCountResult, accessListCountResult] =
+  const [proxyHostCountResult, acmeRows, certRows, importedCertCountResult, accessListCountResult] =
     await Promise.all([
       db.select({ value: count() }).from(proxyHosts),
-      // Proxy hosts with no explicit cert → Caddy auto-issues one ACME cert per host
+      // All proxy hosts with no explicit cert (for ACME deduplication)
-      db.select({ value: count() }).from(proxyHosts).where(isNull(proxyHosts.certificateId)),
+      db.select({ domains: proxyHosts.domains }).from(proxyHosts).where(isNull(proxyHosts.certificateId)),
+      // All certs (for wildcard coverage check)
+      db.select({ id: certificates.id, type: certificates.type, domainNames: certificates.domainNames, certificatePem: certificates.certificatePem }).from(certificates),
       // Imported certs with actual PEM data (valid, user-managed)
       db.select({ value: count() }).from(certificates).where(
         sql`${certificates.type} = 'imported' AND ${certificates.certificatePem} IS NOT NULL`
       ),
       db.select({ value: count() }).from(accessLists)
     ]);
+
+  // Build cert domain map for wildcard coverage checks
+  const certDomainMap = new Map<number, string[]>();
+  for (const cert of certRows) {
+    certDomainMap.set(cert.id, JSON.parse(cert.domainNames) as string[]);
+  }
+
+  // Deduplicate ACME hosts: remove those covered by a cert's wildcard or another ACME wildcard
+  const acmeHostDomains = acmeRows.map(r => JSON.parse(r.domains) as string[]);
+  const wildcardAcmeDomainSets = acmeHostDomains.filter(domains => domains.some((d: string) => d.startsWith('*.')));
+
+  let acmeCount = 0;
+  for (const domains of acmeHostDomains) {
+    // Check if covered by an existing certificate's wildcard
+    let covered = false;
+    for (const [, certDomains] of certDomainMap) {
+      if (domains.every((d: string) => isDomainCoveredByCert(d, certDomains))) {
+        covered = true;
+        break;
+      }
+    }
+    // Check if this non-wildcard host is covered by a wildcard ACME host
+    if (!covered && !domains.some((d: string) => d.startsWith('*.'))) {
+      covered = wildcardAcmeDomainSets.some(wcDomains =>
+        domains.every((d: string) => isDomainCoveredByCert(d, wcDomains))
+      );
+    }
+    if (!covered) acmeCount++;
+  }
+
   const proxyHostsCount = proxyHostCountResult[0]?.value ?? 0;
-  const certificatesCount = (acmeCertCountResult[0]?.value ?? 0) + (importedCertCountResult[0]?.value ?? 0);
+  const certificatesCount = acmeCount + (importedCertCountResult[0]?.value ?? 0);
   const accessListsCount = accessListCountResult[0]?.value ?? 0;
 
   return [

app/api/auth/logout/route.ts

@@ -1,6 +1,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getAuth } from "@/src/lib/auth-server";
 import { checkSameOrigin } from "@/src/lib/auth";
+import { config } from "@/src/lib/config";
 import { headers } from "next/headers";
 
 export const dynamic = "force-dynamic";
@@ -10,5 +11,5 @@ export async function POST(request: NextRequest) {
   if (originCheck) return originCheck;
 
   await getAuth().api.signOut({ headers: await headers() });
-  return NextResponse.redirect(new URL("/login", request.url));
+  return NextResponse.redirect(new URL("/login", config.baseUrl));
 }