On_Demand TLS on one domain but redirect user to different domain

1. The problem I’m having:

Domain redirects to different domain but when I want to access the current domain from where it’s getting redirect to other domain on ‘/path’ it’s also get’s redirect to other domain where Im redirecting on ‘/’ path

Below is what I want to acheive:
I want if user hit subdomain.maindomain.com/path my service running on ask will authenticate the request and generate SSL for the domain. But stays on same server that is being reverse_proxy inside https:// {} directive

But if user hit subdomain.maindomain.com/

User gets redirect to maindomain.com, and this website is hosted somewhere else

2. Error messages and/or full log output:

{"level":"info","ts":1702300851.7002218,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1702300851.7020423,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1702300851.7039168,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1702300851.7043035,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1702300851.704455,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0003fbf80"}
{"level":"debug","ts":1702300851.705091,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["subdomain.maindomain.com"]},{"on_demand":true}],"on_demand":{"ask":"http://tls-check:5555/check","rate_limit":{"interval":120000000000,"burst":5}}}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}],"logs":{"default_logger_name":"log0","skip_hosts":["subdomain.maindomain.com"]}},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"static_response","headers":{"Location":["https://maindomain.com{http.request.uri}"]},"status_code":301}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"encodings":{"gzip":{}},"handler":"encode","prefer":["gzip"]},{"handler":"reverse_proxy","upstreams":[{"dial":"csv-parser:8080"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{},"logs":{"default_logger_name":"log0","skip_hosts":["subdomain.maindomain.com"]}}}}}
{"level":"info","ts":1702300851.7060714,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1702300851.7063031,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"debug","ts":1702300851.7065043,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
{"level":"info","ts":1702300851.7065866,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"debug","ts":1702300851.7067087,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
{"level":"info","ts":1702300851.7067697,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1702300851.7068295,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["subdomain.maindomain.com"]}
{"level":"debug","ts":1702300851.711387,"logger":"tls","msg":"loading managed certificate","domain":"subdomain.maindomain.com","expiration":1709503007,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/data/caddy"}
{"level":"info","ts":1702300851.7141385,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1702300851.7252274,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"debug","ts":1702300851.798068,"logger":"tls.cache","msg":"added certificate to cache","subjects":["subdomain.maindomain.com"],"expiration":1709503007,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"39e63cbc261eb2babf82e341d527c19a5e8230955eca9a39b5fb198697e6016d","cache_size":1,"cache_capacity":10000}
{"level":"debug","ts":1702300851.798127,"logger":"events","msg":"event","name":"cached_managed_cert","id":"2d43c617-e553-430d-b4bf-ea06fab731d0","origin":"tls","data":{"sans":["subdomain.maindomain.com"]}}
{"level":"info","ts":1702300851.7986722,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1702300851.7988784,"msg":"serving initial configuration"}
{"level":"debug","ts":1702300873.1119082,"logger":"events","msg":"event","name":"tls_get_certificate","id":"f98addb2-3bbf-431e-8736-81981e0f4463","origin":"tls","data":{"client_hello":{"CipherSuites":[64250,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"subdomain.maindomain.com","SupportedCurves":[10794,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[35466,772,771],"Conn":{}}}}
{"level":"debug","ts":1702300873.112106,"logger":"tls.handshake","msg":"choosing certificate","identifier":"subdomain.maindomain.com","num_choices":1}
{"level":"debug","ts":1702300873.1121278,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"subdomain.maindomain.com","subjects":["subdomain.maindomain.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"39e63cbc261eb2babf82e341d527c19a5e8230955eca9a39b5fb198697e6016d"}
{"level":"debug","ts":1702300873.1121376,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"182.180.66.230","remote_port":"62788","subjects":["subdomain.maindomain.com"],"managed":true,"expiration":1709503007,"hash":"39e63cbc261eb2babf82e341d527c19a5e8230955eca9a39b5fb198697e6016d"}
{"level":"debug","ts":1702300873.355125,"logger":"events","msg":"event","name":"tls_get_certificate","id":"2ddab28f-a49b-458e-b1fe-c39f2664f303","origin":"tls","data":{"client_hello":{"CipherSuites":[51914,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"subdomain.maindomain.com","SupportedCurves":[19018,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[23130,772,771],"Conn":{}}}}
{"level":"debug","ts":1702300873.3552253,"logger":"tls.handshake","msg":"choosing certificate","identifier":"subdomain.maindomain.com","num_choices":1}
{"level":"debug","ts":1702300873.3552523,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"subdomain.maindomain.com","subjects":["subdomain.maindomain.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"39e63cbc261eb2babf82e341d527c19a5e8230955eca9a39b5fb198697e6016d"}
{"level":"debug","ts":1702300873.3552635,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"182.180.66.230","remote_port":"62789","subjects":["subdomain.maindomain.com"],"managed":true,"expiration":1709503007,"hash":"39e63cbc261eb2babf82e341d527c19a5e8230955eca9a39b5fb198697e6016d"}
{"level":"debug","ts":1702301673.1089375,"logger":"http.stdlib","msg":"http: TLS handshake error from 66.160.133.237:40465: tls: client offered only unsupported versions: [302 301]"}

3. Caddy version:

v2.7.6

4. How I installed and ran Caddy:

a. System environment:

Docker

b. Command:

docker-compose up --build -d

c. Service/unit/compose file:

version: '3.8'

services:
  csv-parser:
    build:
      context: .
    # volumes:
    #   - ../app:/app
    ports:
      - "8080:8080"
    networks:
      - csv-parser

  tls-check:
    build:
      context: ./tls-check
    # volumes:
    #   - ../app:/app
    ports:
      - "5555:5555"
    networks:
      - csv-parser

  caddy:
    image: caddy:latest
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./config/Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    networks:
      - csv-parser

networks:
  csv-parser:
    external: true

volumes:
  caddy_data:
  caddy_config:

d. My complete Caddy config:

{
    debug
    on_demand_tls {
        ask http://tls-check:5555/check # At this path I'm only authenticating subdomain.maindomain.com

        burst 5
        interval 2m
    }
}

subdomain.maindomain.com {
    redir https://maindomain.com{uri} permanent
}

https:// {
    tls {
        on_demand
    }

    log {
        output stdout
    }

    encode gzip

    reverse_proxy csv-parser:8080
}

5. Links to relevant resources:

You don’t need On-Demand TLS if you explicitly configure the domain in your Caddyfile as a site, because Caddy will already manage a certificate for that domain.

I’m not sure I understand the problem here. I find your question’s wording a bit confusing. What’s happening right now with this config that you don’t want to happen?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.