Developers August 29, 2020

Simple reverse proxy with automatic wildcard SSL certificates in a few minutes

Zlatko Fedor @zlatkofedor

I needed to create a reverse proxy for my new project because google cloud run is not able to handle wildcard SSL certificates and domains.

I have tried Nginx and Haproxy. Everything works fine except for automatic SSL certificates.

Then I found caddy and I was able to create my reverse proxy in few minutes with automatic HTTPS.

Here is config example

https:// {
  tls {
    on_demand
  }

  reverse_proxy {
    to https://site.creolify.com

    transport http {
      tls
      tls_server_name site.creolify.com
    }

    header_up Host site.creolify.com
  }
}

If you are interested in speed I found that for HTTP/2 HTTPS is caddy able to handle half of the requests in the comparison to Nginx.

caddy v2: 959.57 (requests/s), 696.74ms (ttfb avg)
nginx 1.17.10: 2224.74 (requests/s), 300.22ms (ttfb avg)
h2load HTTP/2: t1 c150 n1000 m50

  1. 3

    Why don't you host this on fly.io? It'll kind of mimic a CDN

    1. 2

      Actually I wanted to have a proxy in the google cloud because my services are using google cloud run. I understand that fly.io will save connection to the proxy but I am not sure if this proxy will be able to handle requests to my google cloud run with a good time response. What do you think about it? I am also using a database that is also located on google cloud. But thank you for the tip. I will definitely try to use fly.io in the future.

      1. 2

        It depends what you need. If you're able to leverage Redis they're a good tool, but if not, database bound applications don't seem to be a good fit.

  2. 2

    Another great option is openresty, which is nginx+lua, and makes for a great customizable reverse proxy - you can basically make it do anything.

    1. 1

      Yep. This is how we do it for https://eager.app. I’ve used this approach for several high traffic projects and it works great.

    2. 1

      Hi @randomTest. Thank you for your comment. I saw it as well, but I do not know Lua and therefore I decided to use something else. Anyway thank you that you mention it

  3. 2

    300ms are you kidding me? AWS CloudFront gives you 100ms and is built into the cloud, (including the wildcard domains and certs). I can't think of any reason you want to use caddy or nginx with that latency.

    1. 2

      Multitenant applications is an easy example. If you want to resolve multiple domain names to one server you can't do that with Cloudfront without a custom (pricy) SSL that has a bunch of SANs.

      1. 2

        You can do it with CF, but also what do you mean, certs are free and so is adding them to CF. What is "pricey" for you?

        1. 1

          You can only have one cert associated with a cloudfront distribution.
          Let's say you want to add more than 20 customers to your SaaS in one week. Each time you request a new cert it counts against your rate limit, causing you to hit that rate limit.

          Am I missing something?

          Edit: Here's the docs from AWS. link

          1. 1

            Sure, but none of that is pricey though, right? It's free, just annoying.

            1. 1

              Being able to create them on demand is pricey was my point.

      2. 2

        You are right @Austinpena. The second reason why I was not able to use any AWS is that I am using google cloud. All my services are using google cloud run and there is no good alternative on AWS (AWS Fargate is not a google cloud run).

  4. 2

    I have my own solution for this with nginx and letsencrypt. It's a UI for nginx basically. I'm thinking of opensourcing it but in order to support the dev would need some backers 🙈

    1. 1

      That is great. I will check it when you opensource it :) I wanted to do it exactly with LetsEncrypt as well but I had a lot of problems with wildcard domains and automatic SSL without any configuration.

      1. 1

        It's going to live here: https://github.com/rmamba/letsproxy/issues
        Currently only managing issues, no code in GIT yet ;)

  5. 1

    Are you worried about being rate limited? What if you add more than 20 customers a week?

    1. 1

      About which limits? If you mean letsencrypt limits I will figure it out when I reach 20 customers per week. It will be a very good job from my side :)

  6. 1

    I reccently switched hosting from Firebase to Render for Custom domain and SSL.

    Are there any downsides by doing this ourselves? like certficate issues from Let's encrypt or anything else?

    1. 2

      Hi @dilsonbright. I needed to use my own reverse proxy because I wanted to add a custom domain with a simple one configuration step (without any domain verification or manual/API assign of the domain in the google cloud console). Users will add just a simple cname DNS record and that's it.

  7. 1

    Why is Caddy so slow? I don't know much about servers, but this seems a huge difference. How much will be this seen in production?

    1. 1

      I think caddy is pretty new and it needs more time for better performance improvements. But I can run multiple proxies and therefore it is not a big deal for me.

  8. 1

    Caddy is an excellent choice for this. Traefik is another personal favorite of mine. It's so nice to have these new tools and not have to deal with NGinx and HAProxy anymore :)

    1. 1

      Hi @johnny_am. Thanks for your comment. Traefik looks good as well. Maybe I will try it :) Do you have a valid config for reverse proxy with automatics SSL? I would like to try it with google cloud and check performance :)

      1. 2

        I created some minimal examples for Traefik. All examples can be executed locally. Automatic SSL is not yet included as it is not so easy to make it run locally. I will add an example for you, though it will not run locally.
        https://github.com/JensKnipper/traefik-examples

Recommended Posts