Thank you, thank you – this was SUPER helpful! I’ve taken your suggestions and updated my setup as you described. It seems to be working as expected, which is fantastic.
I also found a helpful blog post that basically implements your suggestion (in case it’s useful for future readers here): How we provision SSL to our SaaS customers with custom domains - Saax
My new Caddyfile is this:
{
on_demand_tls {
ask https://www.SAASAPP.com/api/validate_domain
interval 2m
burst 5
}
}
:443 {
reverse_proxy https://www.SAASAPP.com {
header_up Host {upstream_hostport}
header_up X-Forwarded-Host {host}
}
tls {
on_demand
}
log {
output file /var/log/caddy/access.log
}
}
On-Demand TLS seems like magic! I now just have a couple basic questions around the On-Demand TLS feature I was hoping you could help answer:
- I’m getting requests to
/api/validate_domainwithdomain=CUSTOMERDOMAIN.comwhich makes sense. I’m validating those at 200s. I am also getting requests withdomain=<PROXY_IP>, wherePROXY_IPis the IP of the DigitalOcean droplet that is hosting my Caddy server. Is this expected? Should I whitelist it as well? - What is the expected behavior when a non-registered domain tries to use my Caddy proxy to route to my SaaS app? I wasn’t able to find any documentation around this? When I first set this up (before whitelisting
CUSTOMERDOMAIN.com, the initial requests toCUSTOMERDOMAIN.comwere still making it through fine, but I wasn’t sure if it was due to some local caching on my end.