Like I said earlier, please use backticks to wrap your config when you post them on the forums. Their formatting gets broken otherwise, and it’s difficult to read.
You’d have to make your front instance of Caddy terminate TLS (i.e. do the on-demand stuff) and then proxy over HTTP to your two upstreams. Use http:// as your site address upstream so that it doesn’t try to match based on hostname.
Front:
{
on_demand_tls {
ask https://lave.live/domain/verify
}
}
(proxy) {
reverse_proxy backend-1:80 backend-2:80 {
# whatever load balancing config
}
}
lave.live {
import proxy
}
https:// {
tls {
on_demand
}
import proxy
}
www.lave.live {
redir https://lave.live{uri}
}
Backend:
http:// {
root * /home/forge/lave.live/public
encode zstd gzip
php_fastcgi unix//var/run/php/php8.1-fpm.sock {
# so that X-Forwarded-* headers are trusted
trusted_proxies private_ranges
}
file_server
}
For the frontend, I’m using a snippet for the proxy and two separate site blocks, because otherwise there’d be a chicken-and-egg issue with the lave.live domain – the ask endpoint goes through lave.live, but since that’s being served by this same server, how can it ask if it can issue a cert for that domain? So you need to explicitly list that one as a non-on_demand domain so that it will work. Not super elegant but it should be fine.
You could avoid this issue by separating the domain verification endpoint to a simple script you run on the front instance so it doesn’t need to be proxied to one of your backends which may or may not be available. Something like ask http://localhost:8080/domain/verify instead.
Note that technically, this approach using a snippet will actually cause there to be two reverse_proxy handlers, and they will have their own state. If you change ask, then you can simplify it back down to just one https:// site block.