Using caddy with GeoDNS

Hello, not sure if this is possible but I am trying to use Caddy with GeoDNS. I have 6 servers total all running the same server configuration and Caddy config (see below). I’m using AWS Route 53 to send the user/visitor to the server that’s in their continent.

For example, if a user is from the US they’ll be sent to one of the US servers, etc etc.

Does anyone have a good solution for this?

{
   email admin@mydomain(dot)com
    on_demand_tls {
            ask https://my.application.com/api/connect-domain
            interval 2m
            burst 5
    }
}

https:// {
        tls {
                on_demand
        }
        root * /var/www/html
        file_server
        php_fastcgi unix//run/php-fpm/www.sock
}

You’ll want to set up shared storage so that all your Caddy instances share the same storage backend.

This is important so that any Caddy instance can initiate the issuance process, and any other instance can complete issuance. They’ll all use the underlying storage as the source of truth, including locking.

If you’re using AWS, you might consider the DynamoDB storage plugin as an option, but be aware that DynamoDB can get quite expensive the more certificates you’re managing, so make sure to configure the storage_clean_interval to something high like 32 days. See Cost of this module · Issue #18 · silinternational/certmagic-storage-dynamodb · GitHub for context. At least a couple companies are doing it this way already.

You could also consider using the Redis storage plugin, which should be much less expensive, but I’m not sure how easy it is to set up in AWS to have it globally distributed.

1 Like

Thank you, so for the Redis one I presume I’d just need to add that plugin and then add this bit of config to each of my servers (with the correct info)?

{
    "admin": {
        "listen": "0.0.0.0:2019"
    },
    "storage": {
        "address": "redis:6379",
        "aes_key": "redistls-01234567890-caddytls-32",
        "db": 1,
        "host": "redis",
        "key_prefix": "caddytls",
        "module": "redis",
        "password": "",
        "port": "6379",
        "timeout": 5,
        "tls_enabled": false,
        "tls_insecure": true,
        "value_prefix": "caddy-storage-redis"
    }
}

How would I add that plugin to Caddy as well?

Yeah - but if you’re using the Caddyfile, then it won’t be JSON config. See the first example here: GitHub - gamalan/caddy-tlsredis: Redis Storage using for Caddy TLS Data

You’ll need to build Caddy with the plugin. Depends how you’re running Caddy. If you’re using Docker, then you can follow the instructions on Docker Hub, specifically the section “Adding custom Caddy modules”. Otherwise, download a binary with the plugins you need from Download Caddy or use xcaddy to build it Build from source — Caddy Documentation.

2 Likes

Trying to install xcaddy.
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest

But:
-bash: xcaddy: command not found

You probably didn’t update your PATH to have the GOBIN location in it.

Alternatively you can download the xcaddy binary from github, or install it from the apt repo we provide, if you can’t figure it out.

Got it working and the Caddy server is up, is that all that needs doing (building caddy with the module, configuring the Caddyfile with that config on github and ensure its connected to redis)?

1 Like

Pretty much. You can test it by pointing a random subdomain you control to your Caddy stack, and make a request with curl overriding the resolver to point to the IP address of your different instances in the different geos to make sure they all work (with the --resolve curl option).

1 Like

Ok, just tested and it works like a treat. Truly can’t thank you enough, if you have a pay/tip link please send it me so I can send you a little something for you continued help.

2 Likes

Best thing you can do to support the project is to sponsor Matt Sponsor @mholt on GitHub Sponsors · GitHub or get a business support plan: Caddy for Business

2 Likes

Thanks Francis, even though you’re the one who helped our friend here. :grinning_face_with_smiling_eyes:

@harrisonr I always recommend tipping the individuals who help you first, but if they insist that you support the project more directly, the best way to do that is probably through a sponsorship (Francis’ first link). :+1:

I mean – I have a full-time job, so best if the money goes to you, cause if you’re not able to sustain the project, nobody else will!

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.