How do you host Caddy so that it’s highly available in Azure?

BlairM · February 2, 2022, 8:14pm

1. Caddy version (`caddy version`): 2.4.6

2. How I run Caddy:

We are trying to set up a PoC for running Caddy to generate certs on demand with an ASK endpoint hosted on one of our other app services.
So far I’ve looked at Azure Container Instances (but no static IP), and Azure Web App Containers (seems like it only exposes port 80 - App Service on Linux FAQ - Azure App Service | Microsoft Docs)

a. System environment:

Linux Docker

b. Command:

docker run --config

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

{
    on_demand_tls {
        ask      https://the-ask-api.com/CaddyServer/VerifyDomainName
        interval 5s
        burst    5
    }
}

https:// {
	log {
        format json
    }
    tls {
        on_demand
    }
    reverse_proxy app.com {        
        header_up Host {http.reverse_proxy.upstream.host}
        header_up X-Real-IP {http.reverse-proxy.upstream.address}
    }
}

3. The problem I’m having:

Trying to find a reliable cloud hosting method for Caddy within a container using Azure
So far Azure Container Instances do not have static IPs for our clients custom domain A record
And Azure Web App Containers do not appear to expose port 443 and this is an overall limitation of Linux Containers here
So I’m very open to suggestions on hosting here

4. Error messages and/or full log output:

5. What I already tried:

As above

6. Links to relevant resources:

francislavoie · February 2, 2022, 9:53pm

You will definitely need a static IP (that DNS can route to) and access to port 443.

If you can’t get that to work with Azure containers, you’ll need to spin up a VPS or equivalent instead which would let you do so.

BlairM · February 3, 2022, 3:12am

Thank you Francis, I’ve been able to get it up and running successfully in an Azure Container Instance. It looks like I’ll be able to put an application gateway on the front to get a static public IP address as detailed here - Static IP address for container group - Azure Container Instances | Microsoft Docs

I have also had to change the header settings to be like so and tweak my app to look at X-Forwarded-Host to see where it’s coming from

    reverse_proxy app.com {        
        header_up Host {upstream_hostport}
        header_up X-Forwarded-Host {host}
    }

BlairM · February 8, 2022, 4:20am

I’ve realised the approach detailed by MS won’t quite work, Application Gateway operates at Level 7 so no good for Caddy, Azure Load Balancer at Level 4 doesn’t support Container Instances

Looks like VMs in an availability set with a load balancer is the way to go, I haven’t been able to automate mounting the Azure File Share to bring in the Caddyfile but that’s all good

If AWS is your thing then a Fargate cluster with a Network Load Balancer should be doable if you want to go the PaaS route

system · March 4, 2022, 8:14pm

This topic was automatically closed after 30 days. New replies are no longer allowed.