[V1] Catch-all domain with on demand option

Help
1

1. My Caddy version (caddy -version):

Caddy v1.0.4 (h1:wwuGSkUHo6RZ3oMpeTt7J09WBB87X5o+IZN4dKehcQE=)

2. How I run Caddy:

systemd

a. System environment:

uname -a
Linux fnando 4.15.0-74-generic #84-Ubuntu SMP Thu Dec 19 08:06:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

d. My complete Caddyfile:

mydomain.dev http://mydomain.dev *.mydomain.dev http://*.mydomain.dev {
  tls {
    dns route53
  }

  proxy / :5000 {
    transparent
  }
}


* {
  tls {
    dns route53
    ask http://localhost:5000/valid-acme-host
  }

  proxy / :5000 {
    transparent
  }
}

3. The problem I’m having:

I’m trying to use Caddy as a proxy server for my heroku app. It’s the classic “customer’s CNAME pointing to your subdomains” use case. Let’s say I have a CNAME sample.mydomain.dev pointing to propitious-gnu-7335.mydomain.dev.

My idea is using Caddy to automatically manage my own certs (the first block), while proxying every other hosts (which I don’t know beforehand) to the app. The second block (*) would then ask my app if a cert should be issued or not, following tls.ask requirements.

Is there any way of enabling a * matcher like the one I’m trying? Am I missing something or isn’t this scenario supported at all?

Alternatively, is there any way I can provide certs via a HTTP call, bypassing Caddy’s ACME support entirely? Something like:

tls {
  ask_certs https://localhost:5000/certs
}

4. Error messages and/or full log output:

There’s no error log other than:

Jan 24 22:13:17 fnando caddy[1593]: http: TLS handshake error from 104.200.132.222:4780: no certificate available for 'sample.mydomain.dev'

Notice that the application never receives the tls.ask call.

5. What I already tried:

If I use sample.fnando.com instead of *, then the tls.ask requirement works as expected, but that’s not something I wouldn’t like to manage myself (creating config files, reloading Caddy, etc).

mydomain.dev http://mydomain.dev *.mydomain.dev http://*.mydomain.dev {
  tls {
    dns route53
  }

  proxy / :5000 {
    transparent
  }
}


sample.mydomain.dev {
  tls {
    dns route53
    ask http://localhost:5000/valid-acme-host
  }

  proxy / :5000 {
    transparent
  }
}

6. Links to relevant resources:

https://caddyserver.com/v1/docs/automatic-https

2

I managed to make it work!

mydomain.dev *.mydomain.dev http://mydomain.dev http://*.mydomain.dev {
  tls {
    dns route53
  }

  proxy / https://myapp.herokuapp.com {
    header_upstream Host {host}
    header_upstream X-Real-IP {remote}
    header_upstream X-Forwarded-For {remote}
    header_upstream X-Forwarded-Port {server_port}
    header_upstream X-Forwarded-Proto {scheme}
    timeout 5s
  }
}

https:// {
  tls {
    ask http:///myapp.herokuapp.com/caddy/allowed-domain
  }

  proxy / https://myapp.herokuapp.com {
    header_upstream Incoming-Host {host}
    header_upstream X-Real-IP {remote}
    header_upstream X-Forwarded-For {remote}
    header_upstream X-Forwarded-Port {server_port}
    header_upstream X-Forwarded-Proto {scheme}
    timeout 5s
  }
}
1 Like
3

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.