Route On Demand TLS Domains Based on Ask Endpoint Response

Chukwuma_Zikora · January 1, 2025, 12:09pm

1. The problem I’m having:

This is not a problem per se. It’s more of a question/feature request. I am running caddy and two other apps, admin and client using docker. These are multi-tenant apps where customers can add customer domain for their client app and another for their admin app.

For assigned subdomains since I know the domains upfront, I can route the request to the correct app. But for custom domain, I don’t know how to handle that or if it is even possible currently.

Example. Customer 1 has an assigned subdomain for the admin app to be web.test.com, and an assigned subdomain for the client app to be web.test.pub.

I can forward all requests coming to *.test.com to admin app using the reverser_proxy and all requests coming to *.test.pub to the client app. But when customers set a custom domain for their apps, say admin.customer1.com for the admin app, and client.customer1.com for the client app, in the https:// on demand tls block I don’t have a way to tell which domain will be forwarded to which app. At least not without forcing customers to use a particular format for their domains(which we don’t want to do).

Is this something that caddy handles today? I don’t see any mention of how to handle it so far.

2. Error messages and/or full log output:

No Errors.

3. Caddy version:

docker image caddy:2.8

4. How I installed and ran Caddy:

a. System environment:

Ubuntu VPS

b. Command:

docker stack deploy -c docker-compose.yml app

c. Service/unit/compose file:

services:
  caddy:
    image: caddy:2.8
    deploy:
      restart_policy:
        condition: on-failure
    ports:
      - '80:80'
      - '443:443'
      - '443:443/udp'
    volumes:
      - ./docker/caddy/Caddyfile:/etc/caddy/Caddyfile
      - ./site:/srv
      - caddy_data:/data
      - caddy_config:/config
    env_file:
      - ./docker/caddy/.env

  admin:
    image: admin:v0.0.0
    deploy:
      restart_policy:
        condition: on-failure

  client:
    image: client:v0.0.0
    volumes:
      - ./docker/client/cache:/app/.next/cache
    deploy:
      restart_policy:
        condition: on-failure

volumes:
  caddy_data:
  caddy_config:

d. My complete Caddy config:

{
  email {$CADDY_EMAIL}
  # acme_dns cloudflare {$CLOUDFLARE_API_TOKEN}
  on_demand_tls {
    ask http://admin:3000/check-domain
  }
}

# Main domain and subdomains
{$ROOT_DOMAIN}, www.{$ROOT_DOMAIN} {
  encode zstd gzip
  root * /srv/marketing

  # Route all api requests from the marketing app to the admin app
  reverse_proxy /api/* admin:3000

  # Default behavior
	file_server
  tls internal
}

*.{$ROOT_DOMAIN} {
  encode zstd gzip
  reverse_proxy admin:3000
  tls internal
}

*.{$ROOT_CLIENT_DOMAIN} {
  encode zstd gzip
  reverse_proxy client:3000
  tls internal
}

# Catch-all for custom domains
https:// {
  tls {
    on_demand
  }
  encode zstd gzip

  # Todo: How to decide if the request is for the admin or client app?


  # Default fallback (optional)
  respond "Unknown Application" 404
}

Chukwuma_Zikora · January 1, 2025, 12:24pm

My first instinct was to ask if it is possible for the ask endpoint to return additonal data other 2xx Ok that caddy can use to decide how to route the request.

I have done some check and i don’t think this is supported. Is there a different way to handle this today?

I know caddy can be extended, but I don’t really know go so it’s not something I can get into.

system · January 31, 2025, 12:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.