Skip to content

feat(caddy): respond to load-balanced pronode.prosopo.io alongside per-host #2670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
forgetso wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(caddy): respond to load-balanced pronode.prosopo.io alongside per-host #2670

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 37 additions & 15 deletions docker/provider.Caddyfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,21 +90,15 @@ http://:9090 {
metrics /metrics
}

# Main site: bound on :8443. Layer4 (above) proxies non-trap-subzone
# SNI connections from :443 in. ACME issuer is restricted to HTTP-01
# because TLS-ALPN-01 requires control of :443. The :80 redirect
# server is auto-created by Caddy (auto_https=on); it serves both
# ACME HTTP-01 challenges AND HTTP→HTTPS redirects targeting port
# 443 (i.e. the layer4 listener), which forwards non-matching SNIs
# back to this same :8443 server.
https://{$CADDY_DOMAIN}:8443 {

tls {
issuer acme {
disable_tlsalpn_challenge
}
}

# Shared route/handler config. Imported by both the per-host site
# ({$CADDY_DOMAIN} = pronodeN.prosopo.io) and the load-balanced site
# ({$CADDY_GLOBAL_DOMAIN} = pronode.prosopo.io). Only the TLS strategy
# differs between the two: per-host uses ACME HTTP-01 (works because each
# pronodeN's A record points to one IP), load-balanced uses `tls internal`
# because DNS round-robin breaks HTTP-01 challenges — a real cert
# distribution mechanism (shared storage, DNS-01, or pre-provisioned PEM)
# is a follow-up.
(provider_site) {
handle /robots.txt {
uri strip_prefix / # removes leading /, so it looks directly in root
root * /srv/static
Expand Down Expand Up @@ -290,3 +284,31 @@ https://{$CADDY_DOMAIN}:8443 {
format json
}
}

# Per-host site: bound on :8443. Layer4 (above) proxies non-trap-subzone
# SNI connections from :443 in. ACME issuer is restricted to HTTP-01
# because TLS-ALPN-01 requires control of :443. The :80 redirect server
# is auto-created by Caddy (auto_https=on); it serves both ACME HTTP-01
# challenges AND HTTP→HTTPS redirects targeting port 443 (i.e. the layer4
# listener), which forwards non-matching SNIs back to this same :8443.
https://{$CADDY_DOMAIN}:8443 {
tls {
issuer acme {
disable_tlsalpn_challenge
}
}
import provider_site
}

# Load-balanced site for pronode.prosopo.io. Pronode operators round-robin
# DNS this hostname across every pronode, so ACME HTTP-01 doesn't work
# here — challenges land on whichever node DNS hands out, which usually
# isn't the one renewing. `tls internal` issues a Caddy-CA cert so the
# layer4 → :8443 routing path is exercised without Caddy attempting (and
# failing) ACME for this hostname. Replace with a real cert strategy
# (shared storage / DNS-01 / pre-provisioned PEM) before this domain
# is exposed to real browser traffic.
https://{$CADDY_GLOBAL_DOMAIN}:8443 {
tls internal
import provider_site
}
Loading