In this guide, I will be discussing how to set up a Caddy web server on VPS and enable on-demand TLS for all your tenant giving you 100% free SSL for your wildcard subdomain and all tenant custom domains.
Firstly, you need to set caddy server, kindly follow this URL: https://caddyserver.com/docs/ It’s entirely free.
Then, configure your caddy file for On-demand TLS. Go through this: https://caddyserver.com/docs/automatic-https
For the “ask” endpoint to authorize the tenant subdomain or custom domain to exist, our module has an open endpoint for this and it looks like the below:
https://localhost:8081/saas/api/caddy_domain_check?domain=demo.crm.com
Replace ‘localhost:8081‘ with your local address i.e. the local address of the proxied server.
The endpoint returns 404 if no match, 200 (OK) if same as the base domain, and 200(Matched) when a match is found (subdomain or custom domain).
In your Caddy file, you don’t neccessarily need to add the domain query parameter to the URL, Caddy will do this itself and as such, the on-demand TLS section of your Caddy will look like this:
{
on_demand_tls {
ask http://localhost:8081/saas/api/caddy_domain_check
interval 2m
burst 5
}
}
and the whole caddy file can look like this:
##caddy
# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace the line below with your
# domain name.
{
on_demand_tls {
ask http://localhost:8081/saas/api/caddy_domain_check
interval 2m
burst 5
}
}
:443 {
tls mail@risedomain.com {
on_demand
}
encode gzip
#reverse proxy to apache listening on 8081, serving /var/www/html
reverse_proxy localhost:8081 {
header_up X-Real-IP {http.reverse-proxy.upstream.address}
}
}
The Apache configuration looks like this:
<VirtualHost *:8081>
ServerAdmin webmaster@localhost
ServerName risedomain.com
ServerAlias *.risedomain.com *
DocumentRoot /var/www/html
SetEnvIf X-Forwarded-Proto https HTTPS=on
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule mod_dir.c>
DirectoryIndex index.php index.pl index.cgi index.html index.xhtml >
</IfModule>
</VirtualHost>
Note ‘SetEnvIf X-Forwarded-Proto https HTTPS=on‘ is necessary for the Apache config to inherit the HTTPS scheme to the proxy if set.
Then all tenant custom domains should automatically be served with TLS.
For custom domain: The customer needs to point the custom domain of interest to your server using A-record or CNAME. You will need to provide them the IP address of your server.
Note: This is for illustration purposes and basic, we advise you to configure it more optimally for production.
Thanks!