Two tls methods conditionally


(Nick) #1

Hi!

I’m having trouble with a complicated use case, would appreciate a fresh look.

I’m trying to use :80 and :443 but with both auto tls conditionally and self-signed certificates, something like this:

:80, :443 {
tls a@b.c {
max_certs 100
}
     redir 301 {
         if {label1} is www
         / https://{label2}.{label3}{uri}
}
}
:80, :443 {
tls self_signed
root /var/www/
}

Thanks in advance!


(Matthew Fay) #2

Hi @kolyasapphire,

How should Caddy determine which configuration to use?


(Nick) #3

Hi @Whitestrake

I was hoping to move if {label1} is www to a www.*.*:443 check to divide them.

In my mind I have domains with www with auto ssl and all the rest served with self signed certificates.

Thank you for looking into this!


(Matthew Fay) #4

I don’t believe that exact behaviour can be configured per the HTTP Caddyfile spec, emphasis mine:

Wildcard characters * can be used in a hostname. A wildcard must take the place of an entire domain label: *.example.com is valid but foo*.example.com is not. Hostnames may have more than one wildcard label, but they must be the left-most labels.

https://caddyserver.com/docs/http-caddyfile#addresses

The closest configuration I can think of would be to use On-Demand TLS with an ask endpoint configured to respond affirmatively to hosts that begin with www. and negatively otherwise. With the latest Caddy version (0.11.1), this will serve a self-signed certificate when the ask endpoint returns a negative response.

You won’t be able to define separate site definitions, but your redir has an if statement that ensures it only fires in the event of a www hostname anyway, so you can simply stack the configuration you’ve given as an example into one site definition.

https://caddyserver.com/docs/automatic-https#on-demand


(Nick) #5

That sounds good! Will try this out, thanks a lot


(Nick) #6

Hi @Whitestrake

I couldn’t find any good usage examples of the ask setting, should the logic be built around the host header?

So something like:
tls {
ask http://localhost:8888/allowed.php
}
And a php script returning 200 if host contains www and something else if it doesn’t.

Or what is the suggested usage?

Thanks in advance


(Matthew Fay) #7
  • ask is an alternative way to enable On-Demand TLS. On-Demand TLS is NOT recommended if the hostname is given in the Caddyfile and known at configuration-time! The URL will be queried via GET and should return a 200 status code if the domain form value from the query string is allowed to be given a certificate. Redirects at this endpoint are not followed. The URL should only be internally accessible. When using this option, Caddy does not enforce any extra rate limiting; your endpoint is expected to make wise decisions instead.

https://caddyserver.com/docs/tls

A PHP script with some simple logic would suffice.


(Nick) #8

Thanks Matthew, somehow missed the form value part!