Do 302 redirect if on_demand_tls fails

4ice · September 24, 2021, 7:08am

1. Caddy version (`caddy version`): 2.4.0 h1

2. How I run Caddy:

I run caddy via systemctl

a. System environment:

Ubuntu 20.04 LTS

b. Command:

sudo systemctl restart caddy

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target
[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
EnvironmentFile=/etc/environment
[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

{
    on_demand_tls {
        ask http://api.4ice.se/api/caddy-check
    }
    storage dynamodb caddy_ssl_certificates
}
:80 {
    respond /health "Im healthy!" 200
}
:443 {
    tls 4ice@gmail.com {
        on_demand
    }
    reverse_proxy 4ice.se {
        header_up X-Forwarded-Port {server_port}

        health_timeout 5s
    }
}

3. The problem I’m having:

I am using on_demand_tls for generating certificates for my multi tenant application. So for instance if someone creates a tenant with the domain caddy.4ice.se, the ask will get a 200 code, and the certificate will be created and the reverse proxy will send the request to the server.

The feature that I am looking for, is to be able to redirect the user if the ask for the on_demand_tls fails. So for instance, if the user goes to not-setup-domain.4ice.se and the ask method gets a 503 error code as response, I want to make a 302 redirect for the user to the page 4ice.se/support. Is that possible to do?

4. Error messages and/or full log output:

5. What I already tried:

6. Links to relevant resources:

matt · September 24, 2021, 7:19am

Over what connection would you like to send the HTTP response? We can’t send an HTTP response if we can’t establish a secure connection…

francislavoie · September 24, 2021, 7:33am

Please upgrade to v2.4.5!

FYI, this doesn’t do anything unless you actually enable active health checks via the health_uri option at minimum.

That’s not possible. If the TLS handshake fails (because Caddy was instructed not to issue a certificate), then it never reaches request handling, because Caddy can’t respond to an HTTPS request with HTTP content. Browsers will not trust anything the server sends back unless the TLS handshake succeeds.

4ice · September 24, 2021, 9:23am

Thank you both for your answers! I understand what you are saying and why my idea would not work!

@francislavoie - Thank you for the tips regarding my config, I will look into that as well as upgrading caddy to the latest version!

system · October 24, 2021, 7:08am

This topic was automatically closed after 30 days. New replies are no longer allowed.