Two tls methods conditionally


I’m having trouble with a complicated use case, would appreciate a fresh look.

I’m trying to use :80 and :443 but with both auto tls conditionally and self-signed certificates, something like this:

:80, :443 {
tls a@b.c {
max_certs 100
     redir 301 {
         if {label1} is www
         / https://{label2}.{label3}{uri}
:80, :443 {
tls self_signed
root /var/www/

Thanks in advance!

Hi @kolyasapphire,

How should Caddy determine which configuration to use?

Hi @Whitestrake

I was hoping to move if {label1} is www to a www.*.*:443 check to divide them.

In my mind I have domains with www with auto ssl and all the rest served with self signed certificates.

Thank you for looking into this!

I don’t believe that exact behaviour can be configured per the HTTP Caddyfile spec, emphasis mine:

Wildcard characters * can be used in a hostname. A wildcard must take the place of an entire domain label: * is valid but foo* is not. Hostnames may have more than one wildcard label, but they must be the left-most labels.

The closest configuration I can think of would be to use On-Demand TLS with an ask endpoint configured to respond affirmatively to hosts that begin with www. and negatively otherwise. With the latest Caddy version (0.11.1), this will serve a self-signed certificate when the ask endpoint returns a negative response.

You won’t be able to define separate site definitions, but your redir has an if statement that ensures it only fires in the event of a www hostname anyway, so you can simply stack the configuration you’ve given as an example into one site definition.

1 Like

That sounds good! Will try this out, thanks a lot

Hi @Whitestrake

I couldn’t find any good usage examples of the ask setting, should the logic be built around the host header?

So something like:
tls {
ask http://localhost:8888/allowed.php
And a php script returning 200 if host contains www and something else if it doesn’t.

Or what is the suggested usage?

Thanks in advance

  • ask is an alternative way to enable On-Demand TLS. On-Demand TLS is NOT recommended if the hostname is given in the Caddyfile and known at configuration-time! The URL will be queried via GET and should return a 200 status code if the domain form value from the query string is allowed to be given a certificate. Redirects at this endpoint are not followed. The URL should only be internally accessible. When using this option, Caddy does not enforce any extra rate limiting; your endpoint is expected to make wise decisions instead.

A PHP script with some simple logic would suffice.

Thanks Matthew, somehow missed the form value part!

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.