- Notifications
You must be signed in to change notification settings - Fork928
docs: add Caddy+LetsEncrypt TLS example#4585
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
| ## Generating wildcard certificates | ||
| By default, this configuration uses Caddy's [on-demand TLS](https://caddyserver.com/docs/caddyfile/options#on-demand-tls) to generate a certificate for each subdomain (e.g. `app1.coder.example.com`, `app2.coder.example.com`). When users visit new subdomains, such as accessing [ports on a workspace](../../networking/port-forwarding.md), the request will take an additional 5-30 seconds since a new certificate is being generated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
the request will take an additional 5-30 seconds
I'm fairly certain this is the only downside of using Caddy's on-demand TLS. While LetsEncrypt's rate limit (50 certificates/domain/week) can quickly be exhausted, Caddy will silently fall back to ZeroSSL which has no rate limit. ZeroSSL is significantly slower though. If you think this needs further explanation in the docs, I can expand.
With that being said, the extra effort for a wildcard is worth it if a Coder deployment is being actively being used in production.
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I have no experience with Caddy so can't give an approval here. Looks cool though.
Uh oh!
There was an error while loading.Please reload this page.
This is inspired byGitLab's Caddy Recipe and I plan to add additional ones for NGINX and Kubernetes ingress+cert-manager.
As much as possible, I tried to reference the Caddy docs for custom builds/providers, while showing one concrete example for wildcards: AWS Route53. If we want to make it slightly more concrete, I could actually modify the docker-compose to support building a custom Dockerfile there that the user could just uncomment.
I understand this adds some debt to the codebase, so I'm open to other ideas. I could just include code snippets in the docs but I found that structure a bit confusing. One advantage of having this in the codebase is I could create an automated (weekly) test to spin up a Coder server with Caddy and ensure everything works as planned. If we wanted to do that as a prerequisite to merging, I'd totally understand.
Contributes to#3518