I’m currently using Cloudflare Workers and Cloudflare for Saas to allow websites to route their traffic to cloudflare via a CNAME, and cloudflare for saas automatically handles HTTPS for those domains.
The downside to using CNAMEs is we have to have a subdomain, which we set to www. We would like to allow setting up a domain without www though, which would require using an a record.
- Would Caddy be a good fit to use as a reverse proxy and serve static files?
- Would Caddy automatically handle creating HTTPS certificates?
- Could websites be added to the reverse proxy dynamically without requiring the server to be restarted?
Yes to all of those questions.
You’ll need to be more specific about what you’re trying to do though.
We are dynamically deploying websites for users. A user tells us their domain name, say example.com, and we save some files to a folder, example.com. We then have them add the proper dns records to use us as a host, and then the reverse proxy directs the request to the proper folder to look for the files.
I’d like to be able to host caddy, and have our users point their website to it with an A record, and then use an admin API to dynamically add reverse proxy configurations etc, while caddy manages the TLS certificates automatically.
Yep, you can definitely do that.
Are you always using a different
reverse_proxy target? Or is it always the same backend? If it’s always the same one, you’re probably looking for On-Demand TLS, which would allow your users to point their domains at your server, and Caddy will fetch a certificate for that domain on the first incoming request. This is a feature unique to Caddy.
If you’re using different backends, you might consider using the
map handler to choose the upstream address.
Point of order, you’re saying “reverse proxy” but you also talk about “static files”. Those are kinda competing concepts. Are you saying you want Caddy to serve the static files, or do you want Caddy to proxy to something else to serve them? Because Caddy can do both, but clarifying that is important.
What kind of performance can we expect? Would we have any issues if we deployed multiple of these servers for redundancy so that our users could specify multiple a records?
What areas would we need to look into for Caddy to enable this functionality?
Performance will not be a problem, and redundancy is fine – many users are doing this. I’d recommend having them share the same storage so that they will coordinate certificate management automatically: Automatic HTTPS — Caddy Documentation
^ That page also talks about On-Demand TLS.
(Although, I’m not sure if “multiple A records for redundancy” is what you’re looking for. If a DNS resolver returns multiple A records the selection of which one to use is random, I believe. Does no good if the selected host is down. Unless you remove the A record first. But then you have caching/TTL issues.)
So this seems fantastic and exactly like what we’re looking for.
The only thing I dislike about this approach is that if someone were to ddos one of our customers sites, it could pretty easily take down all of our customers.
I don’t suppose anyone knows a creative solution to that, that I haven’t thought of?
That should be handled at the firewall level.
DDoS is a common problem for any online servers/services (not specific to Caddy). Most businesses put their sites behind a CDN like Cloudflare. Basically the best way to be DDoS’ers is to have more bandwidth than the bad guys.
Basic DoS attacks can usually be mitigated by firewalls and auto block rules.