On_Demand TLS multi container reverse_proxy with different domains to be validated

1. The problem I’m having:

Problem we are facing here is we have tls check server that we have created in Go Lang. And we have hard coded our domains in it. But when we reverse_proxy request to those containers it only work when we put only one reverse_proxy meaning we can only reverse_proxy on one backend.

2. Error messages and/or full log output:

Currently I can't share logs because there is some sensitive data that I need to figure but this task is on priority. I need to figure how we can reverse_proxy on multiple containers so we can get multiple SSLs for multiple domains. Using same tlscheck service.

3. Caddy version:

Blockquote
version: ‘3.8’
services:
csv-parser:
build:
context: .
# volumes:
# - …/app:/app
ports:
- “8080:8080”
networks:
- csv-parser
tls-check:
build:
context: ./tls-check
# volumes:
# - …/app:/app
ports:
- “5555:5555”
networks:
- csv-parser
caddy:
image: caddy:latest
ports:
- “80:80”
- “443:443”
volumes:
- ./config/Caddyfile:/etc/caddy/Caddyfile
- caddy_data:/data
- caddy_config:/config
networks:
- csv-parser
networks:
csv-parser:
external: true
volumes:
caddy_data:
caddy_config:

4. How I installed and ran Caddy:

Using docker-compose file

a. System environment:

Ubuntu Linux 20.04

b. Command:

docker-compose up --build -d

c. Service/unit/compose file:

docker-compose.yaml

d. My complete Caddy config:

{
    debug
    on_demand_tls {
        ask http://tls-check:5555/check
        
        burst 5
        interval 2m
    }
}

https:// {
    tls {
        on_demand
    }

    log {
        output stdout
    }

    encode gzip

    reverse_proxy csv-parser:8080 # It has it's own domain csv-parser.company.com

   # reverse_proxy another-container:8081 # If we enable this both containers stop working. another-container.company.com 
}

5. Links to relevant resources:

You need to use request matchers to tell Caddy how to split the traffic.

If you want to route by hostname, then add more site blocks.

You should only use On-Demand if you don’t know the domains ahead of time (i.e. you have customers pointing their domains to your server).

You shouldn’t use it for domains you do know (like csv-parser.company.com) and should instead make a site block for those.

Hi @francislavoie , thank you so much for your response. These domains are customer managed domains and we are giving them IP address of our server. I know we can use caddy operator if domains are managed by us. But in our case customer domains are hosted on multiple platforms and most of the time they are not techincal so instead of disturbing them we want we can handle that on our end. Thats the reason we want to use On_demand tls directive in our use-case. Please if you can help me that will be highly appreciated

You should have your customers make a CNAME to your own domain, not have them set an A record with your server’s IP.

Using a CNAME means you can change your domain’s IP and all your customer’s domains immediately follow, whereas with A records you’re stuck with your customers pointing to the wrong IP if you need to change where your server is hosted.

What I said still applies. You need to use request matchers to split the traffic in some way. You need to configure Caddy to give it conditions on the request to route to the correct upstream.

You haven’t said what exactly you expect to happen (e.g. given a specific URL, where should it get routed, and so on for each possible URL your server receives) so I can’t give a more specific answer than that.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.