autonomic-bot
fdbd1e2fee
The caddy sidecar uses on-demand TLS and asks http://app:3000/tls-check before issuing a cert. On a shared host every co-located stack aliases its main service 'app' on the 'proxy' overlay; caddy (on both proxy+internal) resolves bare 'app' to a FOREIGN stack's endpoint, so the tls-check connection is refused, no cert is issued, and the PDS is unreachable over HTTPS (xrpc/_health=000). Give the PDS a unique 'pds' alias on the internal network and point caddy's reverse_proxy + on_demand_tls ask at it; 'pds' exists only on internal, so it always resolves to this stack's PDS. Service name stays 'app' (no downstream breakage).
13 lines
130 B
Caddyfile
13 lines
130 B
Caddyfile
{
|
|
on_demand_tls {
|
|
ask http://pds:3000/tls-check
|
|
}
|
|
}
|
|
|
|
{$DOMAIN}, *.{$DOMAIN} {
|
|
tls {
|
|
on_demand
|
|
}
|
|
reverse_proxy pds:3000
|
|
}
|