caddy-security icon indicating copy to clipboard operation
caddy-security copied to clipboard
verified publisher icon greenpau

feature: on_demand_tls verification over local socket

Open greenpau opened this issue 3 years ago • 1 comments

A clear and concise description of what you want the system to do.

Typically the on_demand_tls requires a webserver that would perform checks.

{
    on_demand_tls {
        ask  http://localhost:8888/verify
        interval 2m
        burst 5
    }
}

What are the Caddyfile directives that need to be added.

Add Caddyfile directive:

{
  on_demand_tls {
    ask  unix:///var/run/tlsverify.sock
    interval 2m
    burst 5
  }
  security {
    tls verify host foo.bar.baz
    tls verify hosts {
      foo.bar
      *.bar.foo
    }
    tls verify listener unix:///var/run/tlsverify.sock
  }
}

greenpau avatar May 20 '22 01:05 greenpau

Per advice from Francis, the same could be accomplished by:

:8888 {
    @allowed expression {query.domain}.matches("your-regexp")
    respond @allowed 200
    respond 400
}

greenpau avatar May 20 '22 01:05 greenpau