1. Caddy version (caddy version
):
2.4.3-alpine
2. How I run Caddy:
Our customers can CNAME their own domain names to our Caddy webserver. We enabled on-demand TLS with Redis as storage backend. Our infrastructure runs on AWS EC2 with Docker.
a. System environment:
Docker 20.10.7 on AWS EC2 (Ubuntu 20.04) with a Network Load Balancer
b. Command:
X
c. Dockerfile:
###################
# CADDY BUILDER #
###################
FROM caddy:builder-alpine AS caddy-builder
RUN xcaddy build \
--with github.com/gamalan/caddy-tlsredis \
--with github.com/caddy-dns/cloudflare
###########
# CADDY #
###########
FROM caddy:2-alpine AS caddy
LABEL maintainer="Sherin Bloemendaal <sherin@maglr.com>"
COPY caddy/Caddyfile /etc/caddy/Caddyfile
COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy
WORKDIR /app
VOLUME /app
EXPOSE 80
EXPOSE 443
d. My complete Caddyfile or JSON config:
{
debug
email sherin@maglr.com
auto_https disable_redirects
on_demand_tls {
# Testing
ask https://httpstat.us/200
}
admin caddy:8080 {
origins 172.31.0.0/16:8080
}
storage redis {
host {$CADDY_CLUSTERING_REDIS_HOST}
port {$CADDY_CLUSTERING_REDIS_PORT}
db {$CADDY_CLUSTERING_REDIS_DB}
tls_enabled {$CADDY_CLUSTERING_REDIS_TLS}
}
}
http:// {
@health_path path /health
@others not path /health
respond @health_path "OK" 200
redir @others https://{host}{uri}
}
https:// {
root * /app/public
php_fastcgi php:9000
encode zstd gzip
file_server
tls sherin@maglr.com {
on_demand
}
}
3. The problem I’m having:
When i visit a ip adress on https, it does not use the internal tls anymore but instead it requests a letsencrypt certificate (wich fails) and it keeps retrying. Is there anyway to exclude regex matching hosts or something like that or maybe i can let them fallback to the internal certificate if on-demand fails? Or maybe its possible to use a matcher inside the address part?
Why we use Caddy: We currently have arround 2000 domains that we host, we looked into Cloudflare for SaaS but their Enterprise licence starts at $3000 per month wich is really expensive (higher than our total hosting costs at AWS). We also looked into Fastly, they offered $20 dollar per domain per month, wich is also extremely expensive when having 2000 domains. So we decided to host our own service and then Caddy said hello. We love the idea and its a really nice concept and specially the on-demand TLS feature is very great.
Also i think i misunderstood the term “Automatic HTTPS” and “On-demand TLS”, they’re not the same or am i wrong? Since “Automatic HTTPS” is enabled by default but “On-demand TLS” isn’t.
Anyways, help would be really appreciated! I am looking for some regex address matching.
For example: directly visiting our ip AWS EC2 ip adress should not request letsencrypt or zerossl but return tls internal
instead.
4. Error messages and/or full log output:
X
5. What I already tried:
Request matcher:
-
header_regexp ip_regex Host ^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$
. The regex should match ipv4 adresses. But this method doesnt work, i’ve read something that the Host header is exceptional when using theheader
/header_regexp
matcher. - Tried
expression
but it seems it does not support regex like checking. - Create another siteblock for 127.0.0.1 as test:
{
... same as above
}
https://127.0.0.1 {
tls internal
respond "OK" 200
handle {
abort
}
}
http:// {
@health_path path /health
@others not path /health
respond @health_path "OK" 200 {
close
}
redir @others https://{host}{uri}
}
https:// {
root * /app/docs
php_fastcgi php:9000
encode zstd gzip
file_server
tls sherin@maglr.com {
on_demand
}
}
6. Links to relevant resources:
X