In this guide, I will walk you through setting up a Caddy web server on your VPS, enabling on-demand TLS for all your tenants. This will allow you to provide 100% free SSL for both wildcard subdomains and custom domains for your tenants.
Prerequisites #
This guide assumes that Apache is already set up and running. If you haven’t set it up yet, please do so first. It’s recommended that you fully configure your CRM on Apache and ensure everything works properly before proceeding with Caddy installation, as Caddy will act as a reverse proxy for Apache.
Step 1: Ensure Port 80 is Available for Caddy #
Caddy needs port 80 to be available for its installation. If Apache is currently using port 80, you’ll need to reconfigure Apache to listen on a different port, such as port 8081. This guide assumes Apache will be configured to listen on port 8081.
To change Apache’s listening port, follow this guide: Change Apache Port in Linux.
Step 2: Install Caddy Server #
To begin, you need to set up Caddy on your server. You can find the installation instructions on the official Caddy website: Caddy Installation Documentation. Caddy is free and open-source.
Step 3: Configure On-Demand TLS in the Caddyfile #
Now, you’ll need to configure Caddy to use on-demand TLS for automatic SSL certificate issuance. For details on how this works, refer to this Caddy documentation: Automatic HTTPS in Caddy.
To allow Caddy to verify tenant subdomains or custom domains, you’ll need to set up an “ask” endpoint. Our module provides an open endpoint for this. It looks like the following:
https://localhost:8081/perfex_saas/api/caddy_domain_check?domain=demo.crm.comReplace localhost:8081 with the address of your local Apache or Nginx server.
- The endpoint returns:
404if no match is found200 (OK)if the domain matches the base domain200 (Matched)if a subdomain or custom domain is found
In your Caddyfile, you don’t need to explicitly include the domain query parameter in the URL, as Caddy will handle this automatically. The on-demand TLS section of your Caddyfile should look like this:
{
on_demand_tls {
ask https://localhost:8081/perfex_saas/api/caddy_domain_check
interval 2m
burst 5
}
}Step 4: Complete Caddyfile Configuration #
Here’s an example of how your complete Caddyfile should look:
## Caddyfile
# Global options block
{
on_demand_tls {
ask http://localhost:8081/perfex_saas/api/caddy_domain_check
interval 2m
burst 5
}
}
# HTTPS configuration for your domain
:443 {
tls mail@perfexdomain.com {
on_demand
}
encode gzip
# Reverse proxy to Apache (on port 8081, serving /var/www/html)
reverse_proxy localhost:8081 {
header_up X-Real-IP {http.reverse-proxy.upstream.address}
}
}
Step 5: Apache Configuration #
Next, configure Apache to listen on port 8081. Here’s an example of how your Apache VirtualHost should be configured:
<VirtualHost *:8081>
ServerAdmin webmaster@localhost
ServerName perfexdomain.com
ServerAlias *.perfexdomain.com *
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule mod_dir.c>
DirectoryIndex index.php index.pl index.cgi index.html index.xhtml
</IfModule>
</VirtualHost>
Step 6: Custom Domain Configuration #
For tenant custom domains to work, customers need to point their domain to your server’s IP address using A-record or CNAME records. Provide your server’s IP address to your customers, and they should configure their DNS settings accordingly. You can provide this information in SaaS > Settings > Miscellaneous.
Once this is done, tenant domains will automatically be served with SSL via Caddy’s on-demand TLS.
Important Notes: #
Caddy handles the SSL certificate issuance and automatic renewal, so tenants’ custom domains and subdomains will always have up-to-date certificates.
The guide provided here is for illustration purposes and covers a basic setup. For production environments, it’s advised to configure Caddy and Apache more optimally and consult with your server administrator.
