psc/vcard4reseller
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cc33040b4b
vcard4reseller/deploy/terraform/cloud-init-caddy.yaml.tftpl
Thomas Peterson cc33040b4b Deploy: HTTP/3 (QUIC) in Caddy deaktiviert 
Manche Security-Suites (AVG Webschutz) zerlegen QUIC → ERR_QUIC_PROTOCOL_ERROR
bei betroffenen Kunden. Caddy global auf `servers { protocols h1 h2 }` (nur
HTTP/1.1 + HTTP/2 über TCP), kein alt-svc h3 mehr. Caddy-Server bekommt
ignore_changes=[user_data] (Caddyfile-Änderung per reload, kein Recreate).
Live-Caddy bereits nachgezogen (Caddyfile in-place + caddy reload).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 10:00:18 +02:00

46 lines
1.4 KiB
Plaintext
Raw Blame History

#cloud-config
package_update: true
write_files:
- path: /opt/caddy/Caddyfile
permissions: '0644'
content: |
{
email ${acme_email}
# HTTP/3 (QUIC) deaktiviert: manche Security-Suites (z. B. AVG Webschutz)
# zerlegen QUIC → ERR_QUIC_PROTOCOL_ERROR. Nur HTTP/1.1 + HTTP/2 über TCP.
servers {
protocols h1 h2
}
on_demand_tls {
# Caddy fragt die App, ob es für die Domain ein Zertifikat ausstellen darf
ask http://${ask_upstream}/internal/tls-allowed
}
}
# Portal (Haupt-Domain): automatisches TLS, Load-Balancing über die App-Nodes
${domain}, www.${domain} {
reverse_proxy ${app_upstreams} {
lb_policy round_robin
}
}
# Custom-Domains der Firmenkunden: On-Demand-TLS (nur erlaubte Hosts)
https:// {
tls {
on_demand
}
reverse_proxy ${app_upstreams} {
lb_policy round_robin
}
}
runcmd:
- command -v docker >/dev/null 2>&1 || curl -fsSL https://get.docker.com | sh
- mkdir -p /opt/caddy/data /opt/caddy/config
- |
docker run -d --name caddy --restart unless-stopped \
-p 80:80 -p 443:443 -p 443:443/udp \
-v /opt/caddy/Caddyfile:/etc/caddy/Caddyfile:ro \
-v /opt/caddy/data:/data \
-v /opt/caddy/config:/config \
caddy:2
Reference in New Issue View Git Blame Copy Permalink