Caddy Ssl Domains

The problem

I would like to serve a redirect from go.psn.af to the same hostname on tailscale. Ideally, I would like to serve it over SSL (now the default) and have the certs automatically renew. I also would like to avoid opening up port 80 or 443 for cert checks.

Solution

Initial setup:

1. I’m currently hosting DNS on Google cloud DNS which is pretty good as a DNS server.

2. Caddy is an easy web server that supports redirects. It also supprts automatically getting an SSL cert using the ACME protocol. However, by default it doesn’t support using GCP DNS for the DNS ownership checks.

Solution: use caddy-dns/googleclouddns plugin. This requires rebuilding caddy for docker. I initially tried the build from source instructions, before discovering Caddy’s docs on adding a plugin to an image (under “Adding custom Caddy modules”. Once I had built a custom docker image and repointed DNS, everything just worked.

FROM caddy:2.7.6-builder AS builder

RUN xcaddy build \
  --with github.com/caddy-dns/googleclouddns

FROM caddy:2.7.6

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

I did have to provide GCP creds, which I’m a bit nervous about. I would like to set up some docker creds store.