Temporarily redirect to HTTP while certificate is being generated

perino · November 5, 2024, 9:29am

1. The problem I’m having:

I am deploying Caddy in a setup where I have a need to generate a lot of certificates (on a random day, I might need 40k new certificates). The certificates take a bit to generate, and while they are generating, I’d like to redirect traffic to http.

My question is, is this kind of setup possible? My first thought was to look at file existence in the http block and redirect to https. But then how do I redirect from https to http?

Anyway, I’m not using the file storage adapter, but Redis. Ideally, in the https block Caddy should look at the storage adapter, check if the certificate exists, if not, redirect to http.

On the http block, check if the certificate exists, if it does, redirect to https.

If it helps somehow using the file adapter, I could see if I could swap, but that would give me other issues with synchronizing the certificates.

francislavoie · November 7, 2024, 11:43am

It’s impossible. The browsers/clients cannot trust anything the server tells it if the TLS handshake failed. It’s important for security.

perino · November 7, 2024, 12:10pm

Hi Francis,

At the very least the redirect from http => https should be possible, right? I understand that https => http could impose security risks, didn’t think of that.

francislavoie · November 7, 2024, 12:29pm

Yes, Caddy automatically redirects HTTP to HTTPS. But if the HTTPS handshake fails, nothing can be done.

perino · November 7, 2024, 12:42pm

The problem is, I don’t want the redirect from http => https as long as the certificate hasn’t been issued. Only when the certificate has been issued, I want to redirect http => https.

This way, if the issuance takes an hour (because of rate limits or whatever), a page can be served over http saying that the domain will be online soon (or whatever).

francislavoie · November 7, 2024, 1:10pm

That’s not currently possible, but it could be using a plugin which reads from Caddy’s storage to check if a cert exists in storage.

perino · November 7, 2024, 2:34pm

Alright, thanks for the information. I’ll see if I can create a plugin for this.

francislavoie · November 7, 2024, 10:20pm

Oh yeah just remembered. The problem with your suggested approach is if someone hits HTTP then doesn’t get redirected to HTTPS “because HTTPS isn’t ready yet” then On-Demand might never trigger so it would just always show HTTPS isn’t ready cause nobody is even trying HTTPS.

perino · November 8, 2024, 8:29am

Yes I have thought of that, I’d need to trigger certificate generation as well when over HTTP (either by sending of a sub request or through internal method calls). But I suppose that is doable.

I created a draft of my http handler, but I’m still searching for the right method to call to check for cert existence. I’m currently calling tlsApp.HasCertificateForSubject() but that seems to be failing for now.

Might be a stupidity or the wrong method, but I have no experience with Go and I’m trying to figure out how the Caddy internals work, so bear with me.

Any help would be appreciated. My current code:

github.com

randock/nameshift-caddy-tls-redirect/blob/master/httpredirect.go

package httpredirect

import (
	"fmt"
	"net/http"

	"github.com/caddyserver/caddy/v2"
	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
	"github.com/caddyserver/caddy/v2/caddyconfig/httpcaddyfile"
	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
	"github.com/caddyserver/caddy/v2/modules/caddytls"
	"go.uber.org/zap"
)

func init() {
	caddy.RegisterModule(Middleware{})

	httpcaddyfile.RegisterHandlerDirective("redirect_if_cert_available", parseCaddyfile)
	httpcaddyfile.RegisterDirectiveOrder("redirect_if_cert_available", httpcaddyfile.Before, "redir")
}

This file has been truncated. show original

system · December 8, 2024, 8:30am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.