fix(nginx-proxy): Correct wildcard htpasswd lookup for 3-part domains

Fix bug where blog.example.com incorrectly checked for
_wildcard.blog.example.com instead of _wildcard.example.com.
Changes:
- 4+ part domains: check 3-part wildcard first, then 2-part fallback
- 2-3 part domains: check 2-part wildcard directly
- Fixed template formatting to match original style
- Updated README with corrected lookup table

Author: mrrobot47

nginx-proxy/README.md

@@ -48,8 +48,8 @@ This file will apply HTTP auth to:
 The template checks for htpasswd files in this order:
 
 1. **Exact match**: `/etc/nginx/htpasswd/blog.domain.com`
-2. **Wildcard (3 parts)**: `/etc/nginx/htpasswd/_wildcard.domain.com` (for multi-level TLD support)
-3. **Wildcard (2 parts)**: `/etc/nginx/htpasswd/_wildcard.com` (fallback)
+2. **Wildcard (3 parts)**: `/etc/nginx/htpasswd/_wildcard.domain.co.in` (for 4+ part domains only)
+3. **Wildcard (2 parts)**: `/etc/nginx/htpasswd/_wildcard.example.com` (for 2-3 part domains, or fallback)
 4. **Default**: `/etc/nginx/htpasswd/default`
 
 #### Example Setup
@@ -58,19 +58,25 @@ The template checks for htpasswd files in this order:
 # Create wildcard htpasswd for WordPress multisite
 htpasswd -c /etc/nginx/htpasswd/_wildcard.example.com admin
 
+# This protects: example.com, blog.example.com, shop.example.com, etc.
+
 # Optional: Override for a specific subdomain
 htpasswd -c /etc/nginx/htpasswd/api.example.com api_user
 ```
 
 #### Multi-level TLDs
 
-Multi-level TLDs (e.g., `.co.in`, `.com.au`) are fully supported. The template checks progressively:
+Multi-level TLDs (e.g., `.co.in`, `.com.au`) are fully supported:
 
-1. **Last 3 parts first**: `_wildcard.domain.co.in` for `blog.domain.co.in`
-2. **Then last 2 parts**: `_wildcard.co.in` as fallback
+| Host | Wildcard File Checked |
+|------|----------------------|
+| `blog.domain.co.in` (4 parts) | `_wildcard.domain.co.in` first, then `_wildcard.co.in` |
+| `domain.co.in` (3 parts) | `_wildcard.co.in` |
+| `blog.example.com` (3 parts) | `_wildcard.example.com` |
+| `example.com` (2 parts) | `_wildcard.example.com` |
 
 ```bash
-# For domain.co.in multisite
+# For domain.co.in multisite (multi-level TLD)
 htpasswd -c /etc/nginx/htpasswd/_wildcard.domain.co.in admin
 
 # This will protect:

nginx-proxy/nginx.tmpl

@@ -67,17 +67,17 @@
 		Supports multi-level TLDs: _wildcard.domain.co.in works for domain.co.in AND *.domain.co.in
 
 		Lookup order (after exact match check on line 56):
-		- For 3+ part domains: checks _wildcard.{last-3-parts}, then falls back to default
-		- For 2-part domains: checks _wildcard.{domain}, then falls back to default
+		- For 4+ part domains: checks _wildcard.{last-3-parts}, then _wildcard.{last-2-parts}, then default
+		- For 2-3 part domains: checks _wildcard.{last-2-parts}, then falls back to default
 		- For single-part hostnames: uses default only
 
 		Note: Uses sprig's splitList and sub functions (available in docker-gen 0.7.4+)
 	*/}}
 	{{ else }}
 		{{ $hostParts := splitList "." .Host }}
 		{{ $partsLen := len $hostParts }}
-		{{/* Check last 3 parts first (e.g., domain.co.in for blog.domain.co.in) */}}
-		{{ if ge $partsLen 3 }}
+		{{/* For 4+ part domains, check last 3 parts first (e.g., _wildcard.domain.co.in for blog.domain.co.in) */}}
+		{{ if ge $partsLen 4 }}
 			{{ $idx3 := sub $partsLen 3 }}
 			{{ $idx2 := sub $partsLen 2 }}
 			{{ $idx1 := sub $partsLen 1 }}
@@ -91,17 +91,30 @@
 				{{ else if (exists "/etc/nginx/vhost.d/default_acl") }}
 					include /etc/nginx/vhost.d/default_acl;
 				{{ end }}
-			{{ else if (exists "/etc/nginx/htpasswd/default") }}
-				auth_basic      "Restricted {{ .Host }}";
-				auth_basic_user_file    /etc/nginx/htpasswd/default;
-				{{ if (exists (printf "/etc/nginx/vhost.d/%s_acl" .Host)) }}
-					include {{ printf "/etc/nginx/vhost.d/%s_acl" .Host}};
-				{{ else if (exists "/etc/nginx/vhost.d/default_acl") }}
-					include /etc/nginx/vhost.d/default_acl;
+			{{ else }}
+				{{/* Fallback: check last 2 parts (e.g., _wildcard.co.in for blog.domain.co.in) */}}
+				{{ $baseDomain2 := printf "%s.%s" (index $hostParts $idx2) (index $hostParts $idx1) }}
+				{{ $wildcardHtpasswd2 := printf "/etc/nginx/htpasswd/_wildcard.%s" $baseDomain2 }}
+				{{ if (exists $wildcardHtpasswd2) }}
+					auth_basic      "Restricted {{ .Host }}";
+					auth_basic_user_file    {{ ($wildcardHtpasswd2) }};
+					{{ if (exists (printf "/etc/nginx/vhost.d/%s_acl" .Host)) }}
+						include {{ printf "/etc/nginx/vhost.d/%s_acl" .Host}};
+					{{ else if (exists "/etc/nginx/vhost.d/default_acl") }}
+						include /etc/nginx/vhost.d/default_acl;
+					{{ end }}
+				{{ else if (exists "/etc/nginx/htpasswd/default") }}
+					auth_basic      "Restricted {{ .Host }}";
+					auth_basic_user_file    /etc/nginx/htpasswd/default;
+					{{ if (exists (printf "/etc/nginx/vhost.d/%s_acl" .Host)) }}
+						include {{ printf "/etc/nginx/vhost.d/%s_acl" .Host}};
+					{{ else if (exists "/etc/nginx/vhost.d/default_acl") }}
+						include /etc/nginx/vhost.d/default_acl;
+					{{ end }}
 				{{ end }}
 			{{ end }}
 		{{ else if ge $partsLen 2 }}
-			{{/* Only 2 parts (e.g., domain.com) - check wildcard directly */}}
+			{{/* For 2-3 part domains, check last 2 parts (e.g., _wildcard.example.com for blog.example.com or example.com) */}}
 			{{ $idx2 := sub $partsLen 2 }}
 			{{ $idx1 := sub $partsLen 1 }}
 			{{ $baseDomain2 := printf "%s.%s" (index $hostParts $idx2) (index $hostParts $idx1) }}