You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've tried several different ways to make this work with out of the box options and I don't see that there is currently a way. I thought I would document here what I'm trying to do and get any feedback from the team on it.
The infrastructure looks essentially like this.
┌────────────────┐
│ Cloudflare │
└────────────────┘
│ │
┌───────┐┌───────┐
│ Web 1 ││ Web 2 │
└───────┘└───────┘
Public SSL is going to be handled by Cloudflare. However, I do need to install Cloudflare Origin Certificates so that communication between the Cloudflare server and the backend Web servers are encrypted.
It seems the only supported configuration for kamal at this point is to expose a HTTP interface or HTTPS using automatic certificate management. It's possible the work on #969 is going to allow this to be a configuration though. That might simply be the eventual solution, but I can't tell that there is any movement on it. (It also seems like maybe we're waiting on volume/file mounting work from @djmb)
For now I've hacked together a messy solution that includes:
Fork of kamal to hardcode the tls-certificate-path and tls-private-key-path and disable the ensure_one_host_for_ssl check.
Adding a pre-deploy script that pulls the certificate information from 1password and creates the cert.pem and key.pem
In the pre-deploy script also create a .kamal/proxy/options file that mounts the folder with the certificates and also adds the publish ports that are in the default options
Run kamal setup
Run kamal proxy reboot (because the configuration changed on deploy and we have to restart it.)
I also tried to by-pass kamal-proxy altogether and configure puma with the certs, which worked, but redeploys are failing because of port assignments. More info in #1133.
I could streamline by hack if we had a hook that ran pre-proxy-deploy so I could copy the certs over in that step.. as well as a way to add arbitrary options to the proxy command.
But also open to more direct solutions for this specific setup.
The text was updated successfully, but these errors were encountered:
I've tried several different ways to make this work with out of the box options and I don't see that there is currently a way. I thought I would document here what I'm trying to do and get any feedback from the team on it.
The infrastructure looks essentially like this.
Public SSL is going to be handled by Cloudflare. However, I do need to install Cloudflare Origin Certificates so that communication between the Cloudflare server and the backend Web servers are encrypted.
It seems the only supported configuration for kamal at this point is to expose a HTTP interface or HTTPS using automatic certificate management. It's possible the work on #969 is going to allow this to be a configuration though. That might simply be the eventual solution, but I can't tell that there is any movement on it. (It also seems like maybe we're waiting on volume/file mounting work from @djmb)
For now I've hacked together a messy solution that includes:
tls-certificate-pathandtls-private-key-pathand disable theensure_one_host_for_sslcheck.pre-deployscript that pulls the certificate information from 1password and creates thecert.pemandkey.pempre-deployscript also create a.kamal/proxy/optionsfile that mounts the folder with the certificates and also adds the publish ports that are in the default optionsI also tried to by-pass kamal-proxy altogether and configure puma with the certs, which worked, but redeploys are failing because of port assignments. More info in #1133.
I could streamline by hack if we had a hook that ran
pre-proxy-deployso I could copy the certs over in that step.. as well as a way to add arbitrary options to the proxy command.But also open to more direct solutions for this specific setup.
The text was updated successfully, but these errors were encountered: