Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatic certificates per host #14

Open
dkeza opened this issue Nov 3, 2016 · 7 comments
Open

Automatic certificates per host #14

dkeza opened this issue Nov 3, 2016 · 7 comments
Assignees
@vishr
Labels
enhancement

Comments

@dkeza
Copy link

dkeza commented Nov 3, 2016

Is it possible to set

"tls": {
"auto": true
}

per host?
Maybe I don't wish automatic certificates for some host.
@vishr vishr self-assigned this Nov 3, 2016
@vishr
Copy link
Member

vishr commented Nov 3, 2016

What was the behavior you saw? Did you get certificates for all your hosts?

We can add a flag to disable auto TLS in host object? What are you thoughts?

@dkeza
Copy link
Author

dkeza commented Nov 4, 2016

I use Armor as proxy for few web sites in my local network.
For 2 web sites, one on Apache, and one on Node.js, I am using auto TLS, and this is OK. But I have also one web site on IIS, which already have TLS certificate. Now, I was thinking, it would be nice, when Armor would only redirect incoming https requests to IIS, without to issue new TLS certificate.
So I think, new flag "no_tls" : true per host settings would resolve this issue.

@vishr
Copy link
Member

vishr commented Nov 5, 2016
edited
Loading

@dkeza We can add a flag to not pull a certificate automatically for any host but then what certificate will you use for your domain which proxies to IIS. The certificate should be known to Armor for this domain. I am not sure if you mean that you don't want to use HTTPS for this domain, so if that's the case you can directly send HTTP traffic to that domain?

@dkeza
Copy link
Author

dkeza commented Nov 8, 2016

I will try to explain what I have on mind, I am not sure if this is common practice.
When I have one domain example.no-ip.com, and I have Armor as reverse proxy, I wish that https requests to example.no-ip.com are handled by Armor, and that Armor just redirects/forwards that request as https request to IIS server in local network on IP address 192.168.1.100. On IIS server I have already installed valid TLS certificate for domain example.no-ip.com
I don't wish that Armor uses TLS certificate for example.no-ip.com domain, I wish that he only forwards https requests to 192.168.1.100 in local network.
For other domains defined in config.json for Armor, I wish that Armor uses/issues TLS certificates from cache_tls file, and that then forwards https requests as http to ip addresses in local network.

@vishr
Copy link
Member

vishr commented Nov 8, 2016
edited
Loading

For Armor to handle your example.no-ip.com's https requests it needs valid certificates as Armor faces the internet. You have a couple of choices:

  1. Rely on Armor to generate certificate and proxy https request to your internal IIS server (It should use your certificate internally)
  2. If you certificates are valid and signed by CA, copy and use them in the config.json for this domain

Let me know your thoughts

@dkeza
Copy link
Author

dkeza commented Nov 9, 2016

OK, you are right, I let Armor issue TLS certificate also for my IIS website.
How Armor knows when should he get new certificate from Letsencrypt?

@vishr
Copy link
Member

vishr commented Nov 9, 2016
edited
Loading

If auto TLS is on and you haven't specified any certificates for a host then Armor will try to provision them from LetsEncrypt and also keep a track of renewing it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vishr vishr

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vishr @dkeza