Using caddy with GeoDNS

harrisonr · October 31, 2021, 3:54pm

Hello, not sure if this is possible but I am trying to use Caddy with GeoDNS. I have 6 servers total all running the same server configuration and Caddy config (see below). I’m using AWS Route 53 to send the user/visitor to the server that’s in their continent.

For example, if a user is from the US they’ll be sent to one of the US servers, etc etc.

Does anyone have a good solution for this?

{
   email admin@mydomain(dot)com
    on_demand_tls {
            ask https://my.application.com/api/connect-domain
            interval 2m
            burst 5
    }
}

https:// {
        tls {
                on_demand
        }
        root * /var/www/html
        file_server
        php_fastcgi unix//run/php-fpm/www.sock
}

francislavoie · October 31, 2021, 4:40pm

You’ll want to set up shared storage so that all your Caddy instances share the same storage backend.

This is important so that any Caddy instance can initiate the issuance process, and any other instance can complete issuance. They’ll all use the underlying storage as the source of truth, including locking.

If you’re using AWS, you might consider the DynamoDB storage plugin as an option, but be aware that DynamoDB can get quite expensive the more certificates you’re managing, so make sure to configure the storage_clean_interval to something high like 32 days. See Cost of this module · Issue #18 · silinternational/certmagic-storage-dynamodb · GitHub for context. At least a couple companies are doing it this way already.

You could also consider using the Redis storage plugin, which should be much less expensive, but I’m not sure how easy it is to set up in AWS to have it globally distributed.

harrisonr · October 31, 2021, 5:31pm

Thank you, so for the Redis one I presume I’d just need to add that plugin and then add this bit of config to each of my servers (with the correct info)?

{
    "admin": {
        "listen": "0.0.0.0:2019"
    },
    "storage": {
        "address": "redis:6379",
        "aes_key": "redistls-01234567890-caddytls-32",
        "db": 1,
        "host": "redis",
        "key_prefix": "caddytls",
        "module": "redis",
        "password": "",
        "port": "6379",
        "timeout": 5,
        "tls_enabled": false,
        "tls_insecure": true,
        "value_prefix": "caddy-storage-redis"
    }
}

How would I add that plugin to Caddy as well?

francislavoie · October 31, 2021, 5:45pm

Yeah - but if you’re using the Caddyfile, then it won’t be JSON config. See the first example here: GitHub - gamalan/caddy-tlsredis: Redis Storage using for Caddy TLS Data

You’ll need to build Caddy with the plugin. Depends how you’re running Caddy. If you’re using Docker, then you can follow the instructions on Docker, specifically the section “Adding custom Caddy modules”. Otherwise, download a binary with the plugins you need from Download Caddy or use xcaddy to build it Build from source — Caddy Documentation.

harrisonr · October 31, 2021, 8:18pm

Trying to install xcaddy.
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest

But:
-bash: xcaddy: command not found

francislavoie · October 31, 2021, 9:38pm

You probably didn’t update your PATH to have the GOBIN location in it.

Alternatively you can download the xcaddy binary from github, or install it from the apt repo we provide, if you can’t figure it out.

harrisonr · October 31, 2021, 9:40pm

Got it working and the Caddy server is up, is that all that needs doing (building caddy with the module, configuring the Caddyfile with that config on github and ensure its connected to redis)?

francislavoie · October 31, 2021, 9:53pm

Pretty much. You can test it by pointing a random subdomain you control to your Caddy stack, and make a request with curl overriding the resolver to point to the IP address of your different instances in the different geos to make sure they all work (with the --resolve curl option).

harrisonr · October 31, 2021, 10:04pm

Ok, just tested and it works like a treat. Truly can’t thank you enough, if you have a pay/tip link please send it me so I can send you a little something for you continued help.

francislavoie · October 31, 2021, 10:15pm

Best thing you can do to support the project is to sponsor Matt Sponsor @mholt on GitHub Sponsors · GitHub or get a business support plan: Caddy for Business

matt · November 1, 2021, 3:13am

Thanks Francis, even though you’re the one who helped our friend here.

@harrisonr I always recommend tipping the individuals who help you first, but if they insist that you support the project more directly, the best way to do that is probably through a sponsorship (Francis’ first link).

francislavoie · November 1, 2021, 3:43am

I mean – I have a full-time job, so best if the money goes to you, cause if you’re not able to sustain the project, nobody else will!

system · November 30, 2021, 3:54pm

This topic was automatically closed after 30 days. New replies are no longer allowed.