1. Caddy version (caddy version
):
v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=
2. How I run Caddy:
/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
a. System environment:
Debian 9.12, PHP 7.2.31 on a KVM machine.
Caddy installed from official deb package from https://apt.fury.io/caddy
b. Command:
/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
c. Service/unit/compose file:
I use default caddy.service file, this one dist/caddy.service at master · caddyserver/dist · GitHub
d. My complete Caddyfile or JSON config:
{
email mymail@example.com
on_demand_tls {
ask https://cfl.man-at-work.it/api/allowed-domain.php
}
}
(global-encode) {
encode zstd gzip
}
cfl.man-at-work.it {
import global-encode
root * /srv/www/cfl/current/public/
# keep this line to avoid on_demand webhook call on itself
tls mymail@example.com
file_server
php_fastcgi unix//run/php/php7.2-fpm.sock
log {
output file /var/log/caddy/cfl.log
}
}
*.*, *.*.*, *.*.*.* {
import global-encode
tls {
on_demand
}
root * /srv/www/sat/current/public/
@urlblock {
path_regexp wpattack /(wp-admin|wp-login|wp-content|xmlrpc|wp|wordpress)
}
respond @urlblock 410
file_server
php_fastcgi unix//run/php/php7.2-fpm.sock
log {
output file /var/log/caddy/sat.log
}
}
3. The problem I’m having:
I want to configure Caddy2 to serve 1 well known site address with automatic HTTPS (cfl.man-at-work.it
in this example, but this list can grow to 5 or 6 domains) and a multitenant software on a catchall (every customer has is own domain pointed to the server ip).
This config works ok (i.e.: HTTP to HTTPS redirect, and certificate generated and served on the fly) with domains that get a 200 OK response from the ask https://cfl.man-at-work.it/api/allowed-domain.php
webhook, but I’d like to serve HTTP to those domains that are receiving a non-200 response (saas software manages this situation), or a static html page that says “domain not enabled” (or something similar).
My questions are:
- I don’t like the catchall pattern, is there a better way to catch any other connection to the server that are not listed as known site addresses (think about nginx
server_name _;
)? - Can Caddy2 skip on_demand tls and automatic HTTPS redirect if webhook responds with 404 error and serve sites on HTTP?
- Can I catch
tls { on_demand }
errors and manage them?
4. Error messages and/or full log output:
Known site address:
$ curl -I http://cfl.man-at-work.it/
HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://cfl.man-at-work.it/
Server: Caddy
Date: Wed, 24 Jun 2020 08:13:17 GMT
curl -I https://cfl.man-at-work.it/
HTTP/2 200
content-type: text/html; charset=UTF-8
server: Caddy
date: Wed, 24 Jun 2020 08:12:17 GMT
catchall domain with 200 OK in allow-domain webhook
$ curl -I http://sat1.man-at-work.it
HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://sat1.man-at-work.it/
Server: Caddy
Date: Wed, 24 Jun 2020 08:15:02 GMT
$ curl -I https://sat1.man-at-work.it
HTTP/2 200
content-type: text/html; charset=UTF-8
server: Caddy
date: Wed, 24 Jun 2020 08:15:06 GMT
catchall domain with 404 Not Found in allow-domain webhook
$ curl -I http://sat4.man-at-work.it
HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://sat4.man-at-work.it/
Server: Caddy
Date: Wed, 24 Jun 2020 08:16:03 GMT
$ curl -I https://sat4.man-at-work.it
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
on console Caddy log this:
2020/06/24 10:17:19 http: TLS handshake error from 176.206.133.64:57171: certificate for hostname 'sat4.man-at-work.it' not allowed; non-2xx status code 404 returned from https://cfl.man-at-work.it/api/allowed-domain.php
5. What I already tried:
To write a better looking catch-all I’ve tried to set site address to http://, https://
but I cannot use tls
directive
run: adapting config using caddyfile: server listening on [:80] is HTTP, but attempts to configure TLS connection policies
if I set site address to *
Caddy responds with this:
$ curl -I https://sat1.man-at-work.it
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
Caddy console
2020/06/24 10:21:12 http: TLS handshake error from 176.206.133.64:57412: no certificate available for 'sat1.man-at-work.it'
Actual catch all pattern works, but on console I get this waring:
2020/06/24 08:29:05.661 WARN http most clients do not trust second-level wildcard certificates (*.tld) {"domain": "*.*"}
6. Links to relevant resources:
Simplified allowed-domain.php
webhook that I’m currently using on test machine, real webhook will do a series of checks on domain before returning 200 OK or 404 KO
<?php
$domain = $_GET['domain'] ?? null;
$goodDomains = [
'cfl.man-at-work.it',
'sat1.man-at-work.it',
'sat2.man-at-work.it',
'sat3.man-at-work.it',
];
header('Content-Type: application/json; charset=utf-8');
header('Access-Control-Allow-Origin: *');
if (in_array($domain, $goodDomains, true)) {
http_response_code(200);
echo json_encode(['OK']);
} else {
http_response_code(404);
echo json_encode(['KO']);
}