implement the On-Demand TLS feature #63
Conversation
|
alright, I've made it work with my own fork of The modifications were super light, actually it was just a matter of accepting a new config option for kamal-proxy (+ point to my own Docker image of kamal-proxy). So, my proxy:
ssl: true
hosts: [""]
tls_on_demand_url: "http://staging-app-web-latest:3000/locomotive/api/allowed_host"
app_port: 3000
forward_headers: trueNotes:
|
|
I also needed this feature to run the LocomotiveCMS hosting platform behind Kamal-Proxy 👉 did#1 |
|
thanks @kwilczynski for the code review! |
There was a problem hiding this comment.
Hey @did,
Thanks for getting this started! This does seem like a useful addition.
I left a couple of comments on the details. Let me know what you think about addressing those. (I'm also happy to make the changes myself if you don't have time).
internal/server/service.go
Outdated
| return autocert.HostWhitelist(hosts...), nil | ||
| } | ||
|
|
||
| _, err := url.ParseRequestURI(options.TLSOnDemandUrl) |
There was a problem hiding this comment.
I'd expect that the on demand URL will usually point to an endpoint in the application that's deployed, rather than to some other external app. In which case, it would be simpler for this to be a path rather than an absolute URL. We'd then automatically call it on the currently deployed target (a bit like how the health check paths work).
That way you don't have to worry about having a stable hostname to reach for all versions of the app, etc., because the proxy takes care of that for you.
I'm not sure if there's a common enough need to support an external on demand URL as well, but for simplicity's sake it would be nice to have this be path-only if possible.
What do you think?
There was a problem hiding this comment.
👌 I haven't thought about it!!!
In my production case, it would work perfectly because my Rails app was always in charge of returning that list of hostnames (even when I was hosting it with k8s).
Indeed, it'd have saved me a lot of time, trying to figure out the hostname of my endpoint.
Perhaps (it's a guess), we should keep the URL as well for developers who prefers to move the responsibility of this endpoint to another app (and probably deployed by Kamal too) for performance or architecture reasons.
Let's keep it simple in a first time so let's use the path only :-)
(I will make the modifications)
There was a problem hiding this comment.
I'd vote for full path as perhaps someone would want to host the check in a Kamal accessory instead?
There was a problem hiding this comment.
We can always allow both: if you supply a path we'll call that on the app target, but if you supply a URL to some other endpoint we'll use that.
That way we get to keep the simpler configuration when the app is responsible for checking, which I suspect would be the more common case.
There was a problem hiding this comment.
@kevinmcconnell I've implemented it. Let me know if it's okay for you. I also need to re-test this new implementation and see if it doesn't break my app.
|
This looks great! Keep up the good work. We run a CMS where we can set up new sites while the app is running. Our current solution is Passenger via OpenResty (Nginx with Lua) and |
Thanks! Funny, Passenger + OpenResty is exactly the solution I'm using to run the LocomotiveCMS hosting SaaS platform! I need to find some free time to work on Kevin's feedbacks. |
Yep, I've never had any problems with this setup. I wrote a custom Lua script to look at our database and find the authorised hostnames. Didn't even think about just hitting an endpoint on the app itself. So much simpler! :) |
|
Thanks for all your work on this, @did! I also need this feature and am happy to help finish this up. Could I help? |
|
thanks @jmadkins! Alright I'm back to this PR and I've just pushing come code. I won't say no to some help My next task is to use either a path or an URL (TlsOnDemandURL). |
…e tests for the service.createAutoCertHostPolicy function
Big fan of Kamal & Kamal proxy here. Great job 👏
However, for my 2 Rails projects (website hosting for LocomotiveCMS & Maglev), I was missing the On-Demand TLS feature in Caddy.
It turns out it was easy to implement it in Kamal-Proxy since the
autocert.HostPolicytype is just a function returning an error if the host is not allowed to get a certificate.So, just by setting a new config option (
--tls-on-demand-url), we can test dynamically if a host can get a TLS certificate, just by calling the--tls-on-demand-urlendpoint.It just has to return a 200 HTTP code (http://my-api-end-point/any-path?host=).
In order to test it on my server, I implemented a little Sinatra service to test but I didn't include in my PR because it was in Ruby and the single example in your repository was written in Go. Besides, this is a super niche feature, so it might not require an example.
My next step is to build a Kamal proxy docker image and use it in the Kamal deployment of one of my projects.
Let me know if you want me to re-work the PR to match your PR rules.
Thanks!