3 servers load balanced with HTTPS

I want to use 3 servers load balanced to serve a domain having a static site (only html, css and javascript):

  • Server A
  • Server B
  • Server C

(*) They’ll be clones of each other (content as well as specs). Servers will be CentOS 7.3.

What would be the easiest way to setup it and also be able to use HTTPS?

Can http.proxy handle it correctly out-of-the-box?

Would I have to do something manually (like possibly handle certificates or it could be handled by Caddy’s load balancing features)?

I didn’t find an answer in the forum and the docs here are a bit vague: https://caddyserver.com/docs/proxy

Hi @magikstm, I’d say the easiest way to do that would be to have a fourth server running Caddy, terminating SSL and load balancing your domain to your three upstream servers.

http.proxy can indeed handle this kind of setup out of the box, with minimal configuration.

You can handle certificates manually if you like, but the load-balancing Caddy can manage your certificates automatically with no problem. If you don’t want to use Caddy as a load-balancer (maybe you’re using round-robin DNS?), there are options you can look into for the three upstream Caddy servers to each requisition and manage their own certificates, but that might get complicated.

Are you able to elaborate on which part of the documentation was vague? We’d love to improve them if possible. Was there a particular question you couldn’t find an answer for or feature that wasn’t clear?

I’ve found the Examples section to be a good resource for someone looking for a practical application of the capabilities of the proxy middleware.


1 Like

Thanks a lot @Whitestrake.

I’ll reevaluate my setup and will test it soon.

The site is currently hosted on a single dedicated server and I want to add more redundancy to it and possibly https (it doesn’t use it at the moment).

On this page: https://caddyserver.com/docs/proxy

I would suggest adding:

  1. More details on how https is handled on a load-balanced setup (possibly a subsection under “Policies”)
  2. I reread this part 2-3 times and had a hard time figuring what the word “scheme” meant:
    to is the destination endpoint to proxy to. At least one is required, but multiple may be specified. If a scheme (http/https/quic) is not specified, http is used. Unix sockets may also be used by prefixing "unix:". QUIC connections are experimental, but to try it, just use "quic://" for the scheme.
    It may be because english isn’t my first language (english). I think using “protocol” and/or possibly rewriting these a bit would make it easier to understand on a first read.

For 2, I would maybe rewrite as such:

to is the destination endpoint to proxy to. At least one is required, but multiple may be specified. A protocol or scheme as well as a port range may be specified.
Possible protocol or scheme: http://, https://, quic:// or unix: (http is default) (unix is for unix sockets)
QUIC connections are experimental.

Scheme is just the technical term for that part of the URL. scheme://user:pass@host:port/path?query#fragment - did I get it right? :sweat_smile:

I’m not sure “Policies” is the right place - strictly speaking, HTTPS is terminated by Caddy, so the load-balancing policy used or whether it’s load-balancing at all has no bearing on how Caddy handles HTTPS between itself and the connecting client.

The client talks HTTPS to Caddy, then Caddy talks [whatever] to the upstream server. If you want to talk HTTPS to the upstream, you designate https://upstream.example.com, and your upstream has to have its own TLS implemented as a matter of its own responsibility.

To be unambiguous, the word “scheme” in the context of a URI is defined by RFC 3986 section 3.1.

The scheme may or may not also be the name of a protocol, so it’s not particularly correct to say. To quote the RFC:

[…] the URI syntax is a federated and extensible naming system wherein each scheme’s specification may further restrict the syntax and semantics of identifiers using that scheme.

Here’s another good overview of URI syntax:

Thanks for this info.

To be unambiguous, the word “scheme” in the context of a URI is defined by RFC 3986 section 3.1.

Thanks for these. I didn’t know that definition of “scheme”.

I’ll rework my caddyfiles on my 3 test servers and I’ll do further testing to finalize my setup.

You could probably get 3 independent servers working if you set them up to do a dns challenge instead of http.


Awesome - if you’re willing to share details on the configuration you end up going with, we’d love to see it.

I’m doing this by configuring Caddy on each server to use the DNS challenge (dnsprovider plugins), then putting those servers behind a load balancer.

1 Like

Cool, can I ask what you’re using as a load balancer? Another Caddy, or something else?

@Whitestrake I’m using a Rackspace cloud load balancer. All it does is pass TCP traffic directly through on port 80 and 443.

1 Like