On-Demand TLS cert check possible improvement

[mxrlkn]

What would you like to have changed?

A https request with a domain that hasn’t been loaded yet hits the server. Caddy then tries to load the cert from the storage backend. If there isn’t a cert, it asks on demand tls if it can get one (ask http://myapi.com/query). It can’t get one, so the request stops there.

So if my storage backend is not disk, but something like Consul or Redis, and Caddy checks it on each request on new/declined domains, it’s possible to effectively make Caddy DDoS my storage backend.

One solution would be to have Caddy first check on_demand_tls.ask, and if that returns OK 200, then try and load the domain, for domains that hasn’t been loaded yet.

I’d rather have it check my ask endpoint before my storage backend, as I have full control over that.

Why is this feature a useful, necessary, and/or important addition to this project?

If your storage backend is a managed solution, cost could become an issue. If it's self-hosted or a small managed one, performance could become an issue as well.

[mholt]

That might be possible to do... I'll need to be careful that it won't interrupt any other flows (it's getting a little complicated in there).

[mholt]

@mxrlkn Want to test 6670b5e? I moved the calling of DecisionFunc to before loading a cert from storage.

[mxrlkn]

I'm unable to test at the moment. But great to see it happening :)