Multitenant website with cloud run and caddy?

1. Output of caddy version:


2. How I run Caddy:

I have a docker image that create container with python and caddy installed,
I run a django multitenant application on port 8001 and use caddy as proxy

a. System environment:

A docker ubuntu image with python and caddy installed

b. Command:

python3 migrate --noinput
python3 collectstatic --noinput
gunicorn app.wsgi --bind &
cady run

c. Service/unit/compose file:

d. My complete Caddy config:

        # local_certs
        on_demand_tls {
                burst 100
        email $email
        storage file_system /caddy

:80, :443 {
        tls {

3. The problem I’m having:

I have a multitenant django application that I show the content based on the domain that user request my application.
I am running now the application with google cloud run, I added also an HTTP(S) load balancer with a static ip address.
I am planning to tell users to write this ip address to their A dns record and use caddy to generate ssl certificates.
For storage I am planning to use s3 or redis to have central place for certificates.
Also I will add the ask API for on demand certificates.
Is this a way to go, or I am in a wrong direction?
I know how to fix with self managed vps but I wanted to do this with cloud run if it is possible.

If I test locally it works perfect with local_certs.

The problem for now is that http work perfectly but not https, and I don’t know how to fix this.

Is your setup

Caddy → reverse_proxy → django on Google Cloud Run
Google Cloud Run → Caddy → reverse_proxy → django also on Google Cloud Run?

Can you elaborate what you are seeing on http vs https?
Maybe with curl -v?

I now have it configured like this,
A record pointed to HTTP(S) load balancer static ip in GCE, Load balancer is linked with cloud run, and inside cloud run container is installed caddy that listens to port 80 and 443, and this proxy to django gunicorn server.

Now I also added redirects to https, like this

:80, :443 {
        tls {
        @insecure {
                header X-Forwarded-Proto http
        redir @insecure https://{host}{uri} permanent


And this is what curl -v domain gives:

*   Trying <IP>...
* Connected to <DOMAIN> (<IP>) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <DOMAIN>:443 
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <DOMAIN>:443 

This topic was automatically closed after 30 days. New replies are no longer allowed.