2021-04-20 10:34:35 +00:00
|
|
|
# This block below is optional if you want to generate an internal certificate for the server ip address.
|
2021-04-20 09:27:17 +00:00
|
|
|
# It is useful in case you have services trying to reach the server through ip and not domain like health checks.
|
2021-04-20 10:35:56 +00:00
|
|
|
# It will generate an internal certificate so browsers will warn you when connecting but that not a problem.
|
2021-04-20 09:27:17 +00:00
|
|
|
|
2021-07-07 21:31:14 +00:00
|
|
|
:443 {
|
|
|
|
tls internal {
|
|
|
|
on_demand
|
|
|
|
}
|
|
|
|
|
|
|
|
reverse_proxy nginx:80 {
|
|
|
|
# add Dnslink-Lookup header so nginx knows that the request comes from a domain
|
|
|
|
# outside of our certificate string and should perform a dnslink lookup
|
|
|
|
header_up Dnslink-Lookup true
|
|
|
|
}
|
|
|
|
}
|
2021-07-07 14:02:58 +00:00
|
|
|
|
|
|
|
:80 {
|
2021-06-25 12:05:36 +00:00
|
|
|
reverse_proxy nginx:80 {
|
|
|
|
# add Dnslink-Lookup header so nginx knows that the request comes from a domain
|
|
|
|
# outside of our certificate string and should perform a dnslink lookup
|
|
|
|
header_up Dnslink-Lookup true
|
|
|
|
}
|
2021-04-20 09:27:17 +00:00
|
|
|
}
|
|
|
|
|
2021-04-20 09:42:00 +00:00
|
|
|
# Make sure you have SSL_CERTIFICATE_STRING specified in .env file because you need it to fetch correct certificates.
|
|
|
|
# It needs to have at least 3 parts, the absolute part (ie. example.com), the wildcard part (ie. *.example.com) and
|
|
|
|
# the hns wildcard part (ie. *.hns.example.com). The resulting string should look like:
|
|
|
|
# example.com, *.example.com, *.hns.example.com
|
|
|
|
# In addition, if you are running multiple servers for the single portal like we do on siasky.net, you might want to
|
|
|
|
# add an aliased string that is going to help you access and distinguish between servers, the result would look like:
|
|
|
|
# example.com, *.example.com, *.hns.example.com, *.germany.example.com, *.hns.germany.example.com
|
|
|
|
# Note that you don't need to specify the absolute part for the alias since it's already covered in the wildcard part
|
|
|
|
# of the original certificate string (*.example.com).
|
|
|
|
|
|
|
|
{$SSL_CERTIFICATE_STRING} {
|
2021-04-20 09:09:01 +00:00
|
|
|
# If you want to use basic http-01 (basic, good for one server setup) certificate challenge
|
|
|
|
# then uncomment the line below and make sure you have EMAIL_ADDRESS specified in .env file
|
|
|
|
# and comment the tls block that contains the dns challenge configuration.
|
|
|
|
|
|
|
|
# tls {$EMAIL_ADDRESS}
|
|
|
|
|
|
|
|
tls {
|
|
|
|
# We are using route53 as our dns provider and it requires additional AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
|
|
|
|
# environment variables in .env file. You can use other providers by using specific package from
|
2021-04-20 09:46:33 +00:00
|
|
|
# https://github.com/caddy-dns in the docker/caddy/Dockerfile instead of our route53 one.
|
2020-06-22 09:54:01 +00:00
|
|
|
|
2021-04-20 09:09:01 +00:00
|
|
|
dns route53 {
|
|
|
|
max_retries 50
|
2020-06-22 09:54:01 +00:00
|
|
|
}
|
|
|
|
}
|
2021-04-20 09:09:01 +00:00
|
|
|
|
|
|
|
reverse_proxy nginx:80
|
2020-06-22 09:54:01 +00:00
|
|
|
}
|