On Demand SSL for any domain?

pgr · May 7, 2020, 3:15pm

1. Caddy version (`caddy version`):

caddy:2.0.0-rc.3-alpine

2. How I run Caddy:

a. System environment:

Docker

d. My complete Caddyfile or JSON config:

* {
  
  tls 'my-alert@email-address.com' {
        on_demand
    }

  reverse_proxy * unix//tmp/basics_tmp/hulk_passenger.socket { ... }
}

3. The problem I’m having:

I am trying to setup the server with on_demand requests, for each host, which connects to it.
As described in the docs, it will be possible to add a whitelist to possible hosts, which I will integrate afterwards, to make sure this wont be abused.

But for now, I wanted to get this to work. The backend service, to which the requests are proxied, can handle the requests for all used ports.

When I log on to example.my-domain.com, the browser tells me, the used certificate is not trusted.

When I ignore this, the following string is returned:

This is default server vhost. There is nothing here.

What am I doing wrong?

Thanks in advance!

matt · May 7, 2020, 3:59pm

Your site address is * which matches hostnames with a single label, like localhost or foo, but not example.com. To match all sites, don’t specify a hostname. Instead, do something like :443. This is described in the docs: Caddyfile Concepts — Caddy Documentation

This is default server vhost. There is nothing here.

That’s not a Caddy message, so your reverse proxy is working at least.

pgr · May 7, 2020, 5:19pm

Thanks, I also encountered, the email address shouldnt be quoted.
Just for the next reader… but the restriction to the port worked.

The only thing I’m not sure about is how to get the redirect on port 80 working.

With the current configuration the request only works, when I explicitely get on the https://hostname .

I naively tried :80, :443 { ... } afterwards, but that’s not working.
My search results from docs and forum let me try

http://  {
  redir https://{host}{uri}
}

and

:80 {
  redir https://{host}{uri}
}

But didnt work either.

I guess I’m thinking to complicated?

matt · May 7, 2020, 7:20pm

The HTTP->HTTPS redirects are automatic.

So the minimal config should be:

:443
  
tls my-alert@email-address.com {
    on_demand
}

reverse_proxy unix//tmp/basics_tmp/hulk_passenger.socket

Of course, be sure to set up the “ask” endpoint – and customize your proxy if needed.

pgr · May 7, 2020, 7:37pm

Hi Matt,

that’s strange, as my current config is similar to your suggestion.
I just made it a bit cleaner to post it, and without reload, it now worked (as I wanted to paste curl outputs).

So I’ll continue for now and test it again later. Perhaps it’s getting wrong again, or I’ll get aware what I am missing.

Many thanks for now and best regards!
Philipp

system · June 6, 2020, 7:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.