Reverse Proxy (NGINX, Caddy) and Avoiding Certs for Custom Domains

Hey there,

What would be the process of using Caddy or NGINX to handle custom domains’ TLS rather than generating certs on fly every time a customer adds a new domain?

Is that possible? Thank you!

If you use cloudflare, you night be able to use their flexible SSL which connects to your proxy over HTTP so you don’t need certs on fly.
I haven’t done this so I don’t know if it works in practice.

Doesn’t work, I’ve tried a lot of stuff w cloudflare only and the handshake always fails (unless there is matching cert at fly)

Trying disabling TLS but doesn’t seem to work either. Something internally at fly, need someone to give me a clue (ai gets this wrong also)

did you set force_https = false in your app?

Just to be sure I understand correctly: wouldn’t this result in customer traffic floating around in plain text over the public internet between Cloudflare and Fly?

1 Like

You can make your apps private by removing the public ip address, then nginx would proxy the request to your private internal apps. But you’re right, the connection from CF => Fly Nginx App should be over HTTPS.