Two tls methods conditionally

kolyasapphire · November 13, 2018, 8:19pm

Hi!

I’m having trouble with a complicated use case, would appreciate a fresh look.

I’m trying to use :80 and :443 but with both auto tls conditionally and self-signed certificates, something like this:

:80, :443 {
tls a@b.c {
max_certs 100
}
     redir 301 {
         if {label1} is www
         / https://{label2}.{label3}{uri}
}
}
:80, :443 {
tls self_signed
root /var/www/
}

Thanks in advance!

Whitestrake · November 13, 2018, 11:40pm

Hi @kolyasapphire,

How should Caddy determine which configuration to use?

kolyasapphire · November 14, 2018, 1:01am

Hi @Whitestrake

I was hoping to move if {label1} is www to a www.*.*:443 check to divide them.

In my mind I have domains with www with auto ssl and all the rest served with self signed certificates.

Thank you for looking into this!

Whitestrake · November 14, 2018, 1:20am

I don’t believe that exact behaviour can be configured per the HTTP Caddyfile spec, emphasis mine:

Wildcard characters * can be used in a hostname. A wildcard must take the place of an entire domain label: *.example.com is valid but foo*.example.com is not. Hostnames may have more than one wildcard label, but they must be the left-most labels.

—https://caddyserver.com/docs/http-caddyfile#addresses

The closest configuration I can think of would be to use On-Demand TLS with an ask endpoint configured to respond affirmatively to hosts that begin with www. and negatively otherwise. With the latest Caddy version (0.11.1), this will serve a self-signed certificate when the ask endpoint returns a negative response.

You won’t be able to define separate site definitions, but your redir has an if statement that ensures it only fires in the event of a www hostname anyway, so you can simply stack the configuration you’ve given as an example into one site definition.

kolyasapphire · November 14, 2018, 1:49am

That sounds good! Will try this out, thanks a lot

kolyasapphire · November 22, 2018, 9:05pm

Hi @Whitestrake

I couldn’t find any good usage examples of the ask setting, should the logic be built around the host header?

So something like:
tls {
ask http://localhost:8888/allowed.php
}
And a php script returning 200 if host contains www and something else if it doesn’t.

Or what is the suggested usage?

Thanks in advance

Whitestrake · November 22, 2018, 11:10pm

ask is an alternative way to enable On-Demand TLS. On-Demand TLS is NOT recommended if the hostname is given in the Caddyfile and known at configuration-time! The URL will be queried via GET and should return a 200 status code if the domain form value from the query string is allowed to be given a certificate. Redirects at this endpoint are not followed. The URL should only be internally accessible. When using this option, Caddy does not enforce any extra rate limiting; your endpoint is expected to make wise decisions instead.

—https://caddyserver.com/docs/tls

A PHP script with some simple logic would suffice.

kolyasapphire · November 22, 2018, 11:25pm

Thanks Matthew, somehow missed the form value part!

system · February 20, 2019, 11:25pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.