I been toying with Caddy as i seek a self-hosted proxy for homelab, aswell as NPM and Zoraxy. Caddy has some advantages and i think making replica’s would be easier compared to the others. My current install is direct on Debian, and not via docker. Keepalived for floating vip.
I am looking to make replica’s so that i can patch/whatever a node, and not bring everything down. To do this, i need to keep them in sync. I am happy to have a “master” node and then just push the configs over to node #2. Here are the caddy directories i discovered that look like would be needed depending on implementation.
/etc/caddy - Using Caddyfile, so need to bring the config over.
/var/lib/caddy - Appears to be where the SSL data is stored.
I thought about two ways.
just sync the caddyfile and let it get a new ssl. I am using dns-01 challenge, so this would be fine as long as i always use this method, as it would fail for traditional ACME methods.
Sync both directories to the replicas say every 5 mins, and than maybe add something into caddyfile to disable autossl?
I read for #2, some people use shared storage. I would like to avoid that and avoid a single failure point.
DNS challenge certainly makes it easier. With a smaller number of certificates, you can just have each instance of Caddy maintain its own TLS assets, no problem.
Documentation for file storage locations is over at Conventions — Caddy Documentation if you wanna confirm that. It does vary across operating systems.
If you wanted to, you could probably look into something like Redis Cluster, perhaps. The best way, bar none, to have multiple Caddy servers cluster together for TLS asset management is to share a storage provider - Redis Cluster (or some other synchronous distributed data store) would let you do that in a fault-tolerant manner.
It doesn’t necessarily need to be a Redis cluster, it can be just a single Redis instance (centralized). That’s perfectly fine too.
The risk is that if you have two Caddy instances issuing certs for the same domain at the same time, they could clobber eachother’s TXT records. It’s a small risk, but it can happen depending on how much gap you had between starting them up.
Also, issuers have a pretty aggressive limit of duplicate certificates per domain (5 per week, see Rate Limits - Let's Encrypt) so you’re pretty constrained on that even if you manage to keep them renewing in different gap windows (which you can’t really predict because of factors like ARI which issuers can use to tell Caddy when to try a renewal etc)
So really, you should always be syncing storage when running more than one Caddy instance. A centralized DB of somekind is the easiest option, but syncing filesystem can be done as well (glusterfs or something like that).