1. The problem I’m having:
The most current version makes the ask endpoint required, so if a domain is allowed, the ask endpoint returns a code 200 and the tls is generated, however if the domain is not allowed by the ask endpoint, it does not return a code 200, and the tls is not generated as expected behavior and then I see a message similar to “ERR_SSL_PROTOCOL_ERROR” when reverse proxying.
What I would like to do:
- For domains not accepted by the ask endpoint, return a message for example “Unauthorized” with code 403.
I think this would be possible with handle_errors, but I’m not able to “put the pieces together” and insert this correctly into my Caddyfile, could you please help me with an example?
2. Error messages and/or full log output:
N/A
3. Caddy version:
2.7.5
4. How I installed and ran Caddy:
a. System environment:
Ubuntu 22.04
b. Command:
sudo systemctl start caddy
c. Service/unit/compose file:
N/A
d. My complete Caddy config:
{
on_demand_tls {
interval 5m
burst 20
ask https://tlsvalidate.example.com
}
}
https:// {
tls {
on_demand
}
reverse_proxy {
to https://target.example.com
header_up Host {upstream_hostport}
}
}
*.anything.com {
tls {
dns route53 {
access_key_id "AKIEXAMPLE"
secret_access_key "RS1EXAMPLE"
max_retries 10
}
}
reverse_proxy {
to https://target.example.com
header_up Host {upstream_hostport}
}
}
:80 {
respond /online "I am healthy" 200
}