Avoid specifying on demand 'ask' endpoint when using my own issuer

[jroyalty]

I've written my own tls.issuance module, similar to tls.issuance.internal. I want to use on-demand behavior here but without any limits; that is, I don't want to specify an ask endpoint or any rate_limit configuration in this case.

I see that Caddy has a strict set of conditions under which an ask endpoint isn't enforced -- namely that you are using only tls.issuance.internal. I certainly understand these safe guards being in place, but I'm wondering if there has been consideration given to how one might opt-out of these when needed.

Cheers!

[mholt]

(The rate_limit has always been optional anyway.)

You could set up a simple ask endpoint (within Caddy itself, just a site that's bound to localhost) that always returns 200 OK.

[francislavoie]

For example:

{
	on_demand_tls {
		ask http://localhost:5555/
	}
}

http://localhost:5555 {
	respond 200
}

https:// {
	tls {
		on_demand
		issuer your-issuer
	}

	# your usual config
}

[jroyalty]

Thanks for the response, and the suggestion. I tried this previously and while it works, I'm looking for a way to avoid the network call during the cert pipeline. Perhaps this could be a module with a default that has the same behavior as the current ask?

[francislavoie]

Yeah, we'll probably add tls.on_demand.decision module support at some point. But until then, the above solution is the simplest and fastest. The HTTP request to Caddy is extremely fast, so you won't notice any kind of bottleneck there.

[jroyalty]

Okay, consider this a +1 for the module. :)

[ankon]

See #6055

[mholt]

@jroyalty Would you be able to try #6055? Or at least inspect it to see if that works for you?

[jroyalty]

@mholt I looked at the PR and it seems to fit the bill! I'll give it a try as well. Thanks!