Thousands of domains and rate limiting question

What happens for domains that don’t yet have a certificate because of rate limits?

Do they serve the page over http until a cert is obtained?
Are requests denied or do they timeout?

And is the process different if I put all the domains in the config versus using the on demand tls with the ask option.

Users will see a TLS handshake error.

It’s impossible to serve HTTP when a client requests HTTPS. If there’s no valid certificate, then the client has no way to trust anything the server sends, so it must throw up an error.

Yes, if all the domains are listed in your config then Caddy will immediately attempt to issue certificates as fast as possible.

If you enable On-Demand TLS, domains are not immediately issued, and it waits until the first TLS handshake to trigger issuance for that domain.

1 Like

This may just be me misunderstanding how it works but If a browser requests http, not https what happens then?

Are they automatically forwarded to https?
Is it a configuration setting to forward to https and not automatic?
Does caddy check for a cert then forward to https?

How is it automated?

My issue is I have thousands of domains that I would like to all be under https. I would like to swap dns over to the caddy server to reverse proxy those requests. Not having https right away is ok, but any site going down won’t work. Thats what I’m trying to figure out if I need to do a slow rollout or can I just let caddy handle that?

By default Caddy redirects HTTP to HTTPS. And then if HTTPS isn’t ready yet they’ll see a handshake error.

If you explicitly configure Caddy to serve your site on HTTP, then that would work. But that’s not recommended, HTTP is not secure.

No, doesn’t check anything. Just immediately redirects.

Caddy’s feature called “Automatic HTTPS” augments your config to add HTTP->HTTPS redirects + augments any listed domains to have their certificates managed. You can turn this off in parts or entirely with the auto_https global option, but it’s recommended to leave it on.

Caddy will issue at the rate of 10 certs per 10 seconds. See Automatic HTTPS — Caddy Documentation which covers this. If you can do a gradual rollout by switching over DNS in small chunks at a time, that would probably be ideal, but probably not necessary.

1 Like

Thank you so much for the explanation. That makes it a lot easier to understand what I need to do to make the switch.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.