feat(caddy): respond to load-balanced pronode.prosopo.io alongside per-host#2670
Open
forgetso wants to merge 1 commit into
Open
feat(caddy): respond to load-balanced pronode.prosopo.io alongside per-host#2670forgetso wants to merge 1 commit into
forgetso wants to merge 1 commit into
Conversation
…r-host
Extracts the existing route/handler block into a `(provider_site)` snippet
imported by two site blocks:
- `{$CADDY_DOMAIN}` (pronodeN.prosopo.io) keeps ACME HTTP-01 auto-HTTPS —
it works because each pronode's A record points to one IP.
- `{$CADDY_GLOBAL_DOMAIN}` (pronode.prosopo.io) uses `tls internal` as a
placeholder cert. DNS round-robins this hostname across all pronodes so
HTTP-01 challenges land on whichever node DNS hands out, breaking
per-node renewal. The real cert strategy (shared storage, DNS-01, or
pre-provisioned PEM) is intentionally deferred to a follow-up.
The layer4 :443 router needs no change — its SNI matcher only catches the
`*.t.{$CADDY_DOMAIN}` dns-trap subzone; pronode.prosopo.io and
pronodeN.prosopo.io both fall through to the default 127.0.0.1:8443
upstream, where Caddy now multiplexes by SNI between the two site blocks.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docker/provider.Caddyfileinto a(provider_site)snippet imported by two site blocks{$CADDY_DOMAIN}(pronodeN.prosopo.io) keeps ACME HTTP-01 — works because each pronode's A record points to one IP{$CADDY_GLOBAL_DOMAIN}(pronode.prosopo.io) withtls internalas a placeholder cert. DNS round-robins this hostname across all pronodes, which breaks HTTP-01 per-node renewal; the real cert strategy (shared storage, DNS-01, or pre-provisioned PEM) is intentionally a follow-up*.t.{$CADDY_DOMAIN}for the dns-trap subzone, so both the per-host and load-balanced hostnames fall through to the default 127.0.0.1:8443 upstream where Caddy now multiplexes by SNIWhy this PR
First step toward DNS-based provider load balancing: caddy needs to terminate TLS on
pronode.prosopo.ioso the frontend can do an initial round-robin hop before redirecting to a specificpronodeN.prosopo.iofor the rest of the flow. Cert distribution for the shared hostname is a separate problem and is left as a deliberate placeholder.Test plan
CADDY_GLOBAL_DOMAIN=staging.pronode.prosopo.ioset in envopenssl s_client -connect <pronodeN>:443 -servername pronodeN.prosopo.io→ real Let's Encrypt certopenssl s_client -connect <pronodeN>:443 -servername staging.pronode.prosopo.io→ Caddy-CA self-signed cert (expected placeholder)route { }(rate limits, header_up reverse proxy, metrics, robots.txt) is served on both hostnames🤖 Generated with Claude Code