diff options
| author | Alex <alex@adnab.me> | 2023-01-30 16:35:30 +0000 |
|---|---|---|
| committer | Alex <alex@adnab.me> | 2023-01-30 16:35:30 +0000 |
| commit | 4cff37397f626ef063dad29e5b5e97ab1206015d (patch) | |
| tree | 584005f176e3e535dd4e63ae766cffc9fb12b0f0 /doc/book/cookbook/reverse-proxy.md | |
| parent | a1005c26b638782df613a7a776e4dcb22ad34d08 (diff) | |
| parent | 5f412abd4e0868ea11711f696c3eabe452db7560 (diff) | |
| download | garage-4cff37397f626ef063dad29e5b5e97ab1206015d.tar.gz garage-4cff37397f626ef063dad29e5b5e97ab1206015d.zip | |
Merge pull request 'Small doc corrections' (#489) from jpds/garage:doc-corrections into main
Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/garage/pulls/489
Diffstat (limited to 'doc/book/cookbook/reverse-proxy.md')
| -rw-r--r-- | doc/book/cookbook/reverse-proxy.md | 52 |
1 files changed, 51 insertions, 1 deletions
diff --git a/doc/book/cookbook/reverse-proxy.md b/doc/book/cookbook/reverse-proxy.md index c8fde28d..c7dcf6a8 100644 --- a/doc/book/cookbook/reverse-proxy.md +++ b/doc/book/cookbook/reverse-proxy.md @@ -295,7 +295,7 @@ s3.garage.tld, *.s3.garage.tld { } *.web.garage.tld { - reverse_proxy localhost:3902 192.168.1.2:3900 example.tld:3900 + reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902 } admin.garage.tld { @@ -306,3 +306,53 @@ admin.garage.tld { But at the same time, the `reverse_proxy` is very flexible. For a production deployment, you should [read its documentation](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy) as it supports features like DNS discovery of upstreams, load balancing with checks, streaming parameters, etc. +### On-demand TLS + +Caddy supports a technique called +[on-demand TLS](https://caddyserver.com/docs/automatic-https#on-demand-tls), by +which one can configure the webserver to provision TLS certificates when a +client first connects to it. + +In order to prevent an attack vector whereby domains are simply pointed at your +webserver and certificates are requested for them - Caddy can be configured to +ask Garage if a domain is authorized for web hosting, before it then requests +a TLS certificate. + +This 'check' endpoint, which is on the admin port (3903 by default), can be +configured in Caddy's global section as follows: + +```caddy +{ + ... + on_demand_tls { + ask http://localhost:3903/check + interval 2m + burst 5 + } + ... +} +``` + +The host section can then be configured with (note that this uses the web +endpoint instead): + +```caddy +# For a specific set of subdomains +*.web.garage.tld { + tls { + on_demand + } + + reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902 +} + +# Accept all domains on HTTPS +# Never configure this without global section above +https:// { + tls { + on_demand + } + + reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902 +} +``` |