Support Caddy On-Demand TLS

[playworker]

Apologies if this is already supported - we're in the middle of researching upgrading to Postal v2 and I can't see anything in the docs.

Caddy supports on-demand TLS: https://caddyserver.com/docs/automatic-https#on-demand-tls

Which I think means that we wouldn't need to manually add new tracking domains to the Caddyfile, but if I understand correctly it needs an endpoint in Postal that it can call to check if it should generate certs for that domain.

Here's some more info: https://caddy.community/t/automatic-tls-not-working-with-cname-redirect/11372/2

It’s just a GET request with a query ?domain={hostname}. Respond with status 200 if 👍, respond with anything else (4xx usually) for 👎

This seems like it would be a great addition, if it's not already in place :)

[willpower232]

This sounds like an excellent idea for those that are supporting Postal servers that change often and don't want to get too involved.

I think you're referring to

To prevent abuse of this feature, you must configure restrictions. This is done in the automation object of the JSON config, or the on_demand_tls global option of the Caddyfile. Restrictions are "global" and aren't configurable per-site or per-domain. The primary restriction is an "ask" endpoint to which Caddy will send an HTTP request to ask if it has permission to obtain and manage a certificate for the domain in the handshake. This means you will need some internal backend that can, for example, query the accounts table of your database and see if a customer has signed up with that domain name.

so that Caddy can verify the tracking domain exists before provisioning the certificate.

The setup seems pretty flexible, would make a great PR if you know ruby on rails enough to do this.