Support for on-demand SSL certificates

[brendon]

I know this has been discussed elsewhere, but I thought I'd try to reignite the discussion here.

Currently I plan to place Caddy in front of Kamal Proxy to support the creation of on-demand SSL certificates where we have a large list of possible host names we need to support (a CMS with a bring-your-own domain name setup). Caddy supports this using an internal call to a url in the app to see if a given hostname is one we're expecting to serve:

https://caddyserver.com/docs/automatic-https#on-demand-tls

It's fairly easy to set up. This is my Caddyfile:

{
	email someone@example.com

	on_demand_tls {
		ask http://kamal-proxy/check
	}
}

https:// {
	tls {
		on_demand
	}

	reverse_proxy http://kamal-proxy
}

The /check path just needs to check whatever list you use to keep track of customer domains and return a 200 if it's on the list or something else like a 404 if not, similar to the /up check.

Is there appetite for adding a check like this to Kamal Proxy and opening up the automatic SSL generation to a wildcard?

[kevinmcconnell]

@brendon yes, I'd like to see this added to Kamal Proxy! It'd be a nice convenient feature to have built-in. I think #63 was a great start, we just need to finish up some of the details (and bring the PR up to date, as it's become stale).

I'm happy to wrap this up myself at some point, but I don't have time for it right away unfortunately. So if anyone else wants to take a run at it in the meantime, that would also be welcome.

[brendon]

Thanks @kevinmcconnell, I'll see if I can find some time to take a look. @did seems pretty close. I've never written in Go before but it looks fairly straightforward.

[did]

👋@brendon, I was super close but I got busy on my other projects. I don't know if I'll get some free time soon.
But don't hesitate if you've got questions about my PR.

[brendon]

Thanks @did :)

[randohinn]

@brendon on a semi-related note, how do you configure kamal-proxy and/or the rails side to then serve the site that is expected for a given domain? Or does kamal proxy to a single domain and you do site determination from a header somehow? I am in the same boat currently, having to set up a deployment that has similar CMS capability (see #145 for my question too).

[brendon]

Hi @randohinn, it appears that if a hostname isn't defined in your deploy.yml then all hostnames will be routed in and this will be the default container. If you add another container for another app, it needs to have a defined hostname I assume, otherwise the proxy won't know where to route the traffic. I assume it just goes by some arbitrary order.

In my testing this seems to work just fine.

On the Rails end, I have a middleware that inspects the incoming hostname and then checks it against a mapping of hostname to database, then if it's a valid hostname we switch the database on the fly. It's still a dirty hack as Rails doesn't support this kind of unbounded database stuff. It does support a small group of databases defined at boot but that's not quite enough for me :)

For now Caddy has worked well as an an accessory in front of kamal-proxy to do the SSL stuff:

  caddy:
    image: caddy:2.10
    role: web
    options:
        publish:
          - "80:80"
          - "443:443"
    files:
      - config/caddy/Caddyfile:/etc/caddy/Caddyfile
    directories:
      - data:/data
      - conf:/etc/caddy