Current best practices for a web cluster, of multiple domains, behind a load balancer?

Good afternoon.

In the past i’ve done clusters of machines behind a load balancer (not to webservices though), and i’ve also installed Caddy with multiple domains on a machine. But now i want to put N nodes (probably a variable number of purely virtual nodes created or destroyed on demand), behind a single load balancer, each one serving the same N domains/virtualhosts. With SSL.

Been searching and reading the whole day and still don’t have a good direction of where to go. I’d love if it was done with Caddy as i now know from experience the relief of no longer worrying about cert generation and renewal issues thanks to that machine i mentioned, and since this time there’s probably going to be dozens of domains/virtual hosts/whatever serving from those nodes it’d be a much bigger headache solved from the start if i do end up going with Caddy again.

But SSL complicates things: I point the DNS records of the pages to the LB IP so that the browsers go to it and be served by all the machines, but if the Caddy machines need to do the Let’s Encrypt challenge to get and renew the certs, do i need to also point the A records at all the nodes, therefore bypassing the LB which is highly undesirable? Or do i need to use Caddy as the LB? Does Caddy serve certs when it’s on reverse proxy mode? Since the pages will be on virtualhosts the browser needs to receive the request from the browser with name, will that be kept if i do reverse proxy? What if i use Caddy as both the LB and the nodes with the dozens of virtualhosts, will it work?

Is there a document that covers this case? Seems to me that it should be a very common case but i have found very little, even when not limiting things to Caddy, so any help would be appreciated.

1 Like

Caddy supports running in a cluster; you just need to make sure all instances share the same underlying storage:

The default storage is filesystem, so you can use something like glusterfs or something equivalent to sync Caddy’s storage between your machines.

Basically, one Caddy instance can begin an ACME transaction, write it to disk, then another can solve and complete it if it receives the challenge confirmation.

If your LB is at the TCP layer (i.e. not HTTP layer; doesn’t try to terminate TLS) then you can LB to your many Caddy instances and Caddy can terminate TLS.

You could, Caddy is a very capable load balancer as well with the reverse_proxy handler. But if you already have a TCP-layer load balancer you like, that’s fine to use, as I mentioned above.

Well “reverse proxy” isn’t really a “mode” per-se, it’s just one of the many HTTP handlers. The TLS layer is a level higher than the HTTP handlers. So “yes”, but that’s not exactly the right question to ask.

I don’t understand this questions frankly :thinking:

Yeah, Caddy can proxy to other Caddy instances if you need


Here you go:


This topic was automatically closed after 30 days. New replies are no longer allowed.