on_demand_tls should be a local option, not global

[ledlamp]

Suppose you reverse proxy to an app that makes its own subdomains, so you use on-demand TLS and make caddy ask the app for valid hostnames. The caddyfile would look like this:

{
	on_demand_tls {
		ask http://localhost:9123/ask
	}
}

*.my.app, my.app {
	tls {
		on_demand
	}
        reverse_proxy http://localhost:9123
}

But suppose you want to run another app like this? Now there is a problem. Caddy can only be configured to ask one server, and it will ask it for all sites using on-demand. This is no good, if each app knows only what hostnames it serves.

This is how it should work instead:

*.my.app, my.app {
	tls {
		on_demand ask http://localhost:9123/ask
	}
        reverse_proxy http://localhost:9123
}

*.another.app, another.app {
	tls {
		on_demand ask http://localhost:10000/ask
	}
        reverse_proxy http://localhost:10000
}

[francislavoie]

That's not possible with how On-Demand is triggered under the hood. There's only one on_demand config for the whole app. See https://caddyserver.com/docs/json/apps/tls/

What you can do though is write your own permission plugin which splits the upstream you hit based on SNI, using a mapping. Your plugin would implement the https://pkg.go.dev/github.com/caddyserver/caddy/v2/modules/caddytls#OnDemandPermission interface, in the tls.permission.* module namespace.