Automatic HTTPS for Multi-Tenant Applications that allow Custom Domains

Hi everybody!

First of all, I leave here my congratulations for the Caddy team for the amazing work you are doing!

I already succeeded in deploying a simple site using Caddy without problems.

Now, I’m working for a SaaS company and we want to provide automatic HTTPS for our clients. Today, when they opt for use custom domains, or they have to give to us their certificates in a very manual process, or they will fallback to plain HTTP.

So, the ideia is to use Caddy to provide automatic HTTPS for the customers custom domains. My question is if anybody already used Caddy for doing something like that and if that worked well. Just asking for general guidance.

In my case, my Rails application is served through Nginx on ElasticBeanstalk. I can replace Nginx and use only Caddy, but I’m considering better to deploy it separately.

What is in my mind right now is to build a plugin to monitor requests to domains which doesn’t have certificates and provide it on-demand.

Do you think is viable do something like that?

1 Like

I know of a single Caddy instance that is serving thousands of domains for their customers, including managing the certificates for each one of them. It uses on-demand TLS so they just start working after the handshake. I recommend whitelisting the kinds of domains that can be obtained by specifying them in the Caddyfile first, though (*.domain.com for subdomains, or add each one individually, which means you won’t need on-demand TLS).

Also, we’ll have a commercial package for businesses using Caddy available later this year. Could I message you about that, and get your thoughts on it?

2 Likes

Hey Matt!

Thanks for the fast reply! For sure, you can message me.

1 Like

Glad to know this is possible!

What would the Caddyfile look like for this particular case with a single Vhost?

Hey @Ericson_Smith, if you’re just looking to run a single website, the Caddyfile is pretty simple. Check out the new Caddyfile tutorial or the Caddyfile spec for more details.

Make a new thread if you have any questions - this one’s a bit old, and off-topic if you only have one vhost.

We have recently started using Caddy for exactly this purpose.

We put Caddy behind and IP that we tell our customers to point their DNS at, and then just use Caddy’s automatic TLS feature to manage it all for us. No need for plugins, if tls has max_certs set, it’ll just fetch certs for you.

:443, :80 {

  proxy / 10.117.1.21 10.117.1.22 {
    policy ip_hash
    transparent
  }

  tls letsencrypt@mydomain.com
  tls {
    max_certs 10
  }
}

(80 and 443, because we can’t enforce SSL on all sites yet)

There’s a bit more in there so I can use EV certs for certain domains we have full certificates for, and I’ve been working out some clustering ideas, but that’s the gist of it.

2 Likes

Hi @cylindric, this looks great!
Thanks so much, we will try this out now for sure.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.