Last active
December 4, 2024 00:41
-
-
Save stympy/7a538e3edda1395c89afca968f3c5c97 to your computer and use it in GitHub Desktop.
Serving secure customer domains with Caddy - the tech behind https://www.honeybadger.io/tour/status-pages/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| # Caddy is running behind an application load balancer hosted at AWS, so this configures Caddy to trust the headers set by it | |
| servers { | |
| trusted_proxies static private_ranges | |
| } | |
| # Avoid DoS attacks by confirming with a backend app that a requested domain should have an on-demand certificate generated | |
| on_demand_tls { | |
| ask http://web.internal:5000/confirm_domain | |
| interval 1m | |
| burst 10 | |
| } | |
| # Store generated SSL certificates in redis instead of local file system so all app instances have access to them | |
| storage redis { | |
| key_prefix "caddytls" | |
| value_prefix " " # This module has a default value that's dumb, and an empty string here falls back to the default | |
| db "1" | |
| host "redis.internal" | |
| } | |
| } | |
| https:// { | |
| # Generate SSL certificates when the first request for customerdomain.com arrives | |
| tls [email protected] { | |
| on_demand | |
| } | |
| # A request to customerdomain.com will get forwarded to the backend with the hostname passed as a header, so the backend knows what content to serve | |
| reverse_proxy web.internal:5000 { | |
| header_up X-Via-Caddy {host} | |
| } | |
| } | |
| # Load balancer health check | |
| :4431 { | |
| # Use the rails app's health check as our health check, and rewrite any requests we get to the health check route | |
| handle_path /* { | |
| rewrite * /pages/health | |
| reverse_proxy web.internal:5000 | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class ConfirmController < ApplicationController | |
| def confirm | |
| # If the record isn't found, a 404 is returned, which cause Caddy to refuse to generate the certificate | |
| CustomerDomain.where(domain: params[:domain], verified: true).first! | |
| head :ok | |
| end | |
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Build caddy with the module to cache certificates in redis | |
| FROM ubuntu:latest | |
| RUN apt-get -y update | |
| RUN apt-get -y install wget | |
| RUN wget -q -O /usr/bin/caddy "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fgamalan%2Fcaddy-tlsredis&idempotency=$(date '+%s')" && chmod a+x /usr/bin/caddy | |
| RUN mkdir -p /etc/caddy | |
| COPY Caddyfile /etc/caddy/Caddyfile | |
| CMD ["/usr/bin/caddy", "run", "--config", "/etc/caddy/Caddyfile"] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment