`anubis`: Redirect domain not allowed

TornaxO7 · January 20, 2026, 5:12am

I have the following config:

{ config, root-domain, ... }:
let
  port = 49191;
  domain = "anubis.${root-domain}";
in
{
  services = {
    anubis = {
      defaultOptions = {
        settings = {
          DIFFICULTY = 6;
        };

        botPolicy = {
          bots = [
            { import = "(data)/meta/default-config.yaml"; }
          ];

          dnsbl = false;

          openGraph.enabled = false;

          status_codes = {
            CHALLENGE = 403;
            DENY = 403;
          };

          store.backend = "memory";

          thresholds = [
            # {
            #   name = "no-suspicion";
            #   expression = "weight <= 0";
            #   action = "ALLOW";
            # }
            {
              name = "mild-suspicion";
              expression.all = [
                # "weight >= 0"
                "weight < 10"
              ];
              action = "CHALLENGE";
              challenge = {
                algorithm = "fast";
                difficulty = 1;
              };
            }
            {
              name = "moderate-suspicion";
              expression.all = [
                "weight >= 10"
                "weight < 20"
              ];
              action = "CHALLENGE";
              challenge = {
                # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
                algorithm = "fast";
                difficulty = 2;
              };
            }
            {
              name = "mild-proof-of-work";
              expression.all = [
                "weight >= 20"
                "weight < 30"
              ];
              action = "CHALLENGE";
              challenge = {
                algorithm = "fast";
                difficulty = 4;
              };
            }
            {
              name = "extreme-suspicion";
              expression = "weight >= 30";
              action = "CHALLENGE";
              challenge = {
                algorithm = "fast";
                difficulty = 6;
              };
            }
          ];
        };
      };

      instances = {
        main = {
          enable = true;
          settings = {
            TARGET = " ";
            REDIRECT_DOMAINS = "*.${root-domain}";
            PUBLIC_URL = "https://${domain}";
            COOKIE_DOMAIN = root-domain;

            BIND_NETWORK = "tcp";
            BIND = "127.0.0.1:${builtins.toString port}";
          };
        };
      };
    };

    traefik = {
      staticConfigOptions.entryPoints.https.http.middlewares = "anubis@file";

      dynamicConfigOptions.http =
        let
          main = config.services.anubis.instances.main;

          anubis-url = "http://${main.settings.BIND}/.within.website/x/cmd/anubis/api/check";
        in
        {
          middlewares.anubis.forwardAuth.address = "${anubis-url}";

          routers.anubis = {
            rule = "Host(`${domain}`)";
            service = "anubis";
            middlewares = "";
          };

          services.anubis.loadbalancer.servers =
            [
              {
                url = "http://${main.settings.BIND}";
              }
            ];
        };
    };
  };
}

But if I try to open my website, I’m getting Redirect domain not allowed. but I have REDIRECT_DOMAINS set to *.${root-domain} as you can see above.
What am I doing wrong?

eblechschmidt · January 20, 2026, 6:49am

The manual said that it needs to be a comma separated list of domains: Making sure you're not a bot!. I guess it does not allow wildcards.

TornaxO7 · January 20, 2026, 8:13am

According to Configuring allowed redirect domains I though you are able to use wildcards:

There is also glob matching support. You can pass *.bugs.techaro.lol to allow redirecting to anything ending with .bugs.techaro.lol. There is a limit of 4 wildcards.