Caddy: v2: on-demand TLS configuration in Caddyfile

Created on 18 Feb 2020  路  9Comments  路  Source: caddyserver/caddy

Hi there

I'm searching for the "on demand" configuration in Caddyfile V2. So far I only found this example through the API https://caddy.community/t/v2-http-to-https-redirects-fail-for-on-demand-ssl-certs/6742

I know it's work in progress, I'ld just like a confirmation it's still to be done, and an issue to track the feature.

Best regards,

feature request
Source
picture rgarrigue
👍2

Most helpful comment

Done in fc7340e11aa9ca6326909aedfd36bb2c5b53d2a8

Docs to come soon. Basically (and this might change):

tls {
    on_demand
}

will enable on-demand TLS for that site. You can configure rate limits and the ask endpoint in a global option:

on_demand_tls {
    interval ...
    burst ...
    ask ...
}

Setting the global option does not enable it, you have to do that per-site.

Anyway, please try it out, and have fun! It was really complicated so I probably got something wrong!

picture mholt on 18 Mar 2020
🎉6

All 9 comments

Specifically, the request is to have an ask option in https://caddyserver.com/docs/caddyfile/directives/tls to match Caddy v1

francislavoie picture francislavoie on 18 Feb 2020

I am also interested by the ask option for Caddy v2. So sad too see several features available with v1 that are not mentioned in v2 :(

lpellegr picture lpellegr on 23 Feb 2020

@lpellegr Until I have time to add it, you are welcome to do so with a pull request any time!

mholt picture mholt on 23 Feb 2020

@lpellegr to be clear, v2 does support the ask option, but it's only available via JSON config at this time. This issue is to track adding it to the Caddyfile config.

See here for the JSON config documentation https://caddyserver.com/docs/json/apps/tls/automation/

francislavoie picture francislavoie on 23 Feb 2020
👍2

This is really hard, guys 馃槄

mholt picture mholt on 17 Mar 2020
😄1

Done in fc7340e11aa9ca6326909aedfd36bb2c5b53d2a8

Docs to come soon. Basically (and this might change):

tls {
    on_demand
}

will enable on-demand TLS for that site. You can configure rate limits and the ask endpoint in a global option:

on_demand_tls {
    interval ...
    burst ...
    ask ...
}

Setting the global option does not enable it, you have to do that per-site.

Anyway, please try it out, and have fun! It was really complicated so I probably got something wrong!

mholt picture mholt on 18 Mar 2020
🎉6

Is there any way to configure an ask per-site ?

cmizzi picture cmizzi on 21 Jan 2021

Is there any way to configure an ask per-site ?

No, because there's no concept of a "site" during a TLS handshake.

mholt picture mholt on 21 Jan 2021

If you need to communicate with 2 different databases, then you should do that in your backend ask endpoint. That shouldn't be a concern of caddy.

francislavoie picture francislavoie on 21 Jan 2021
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

klaasel picture klaasel  路  3Comments
la0wei picture la0wei  路  3Comments
billop picture billop  路  3Comments
whs picture whs  路  3Comments
ericmdantas picture ericmdantas  路  3Comments