Closed PrivatePuffin closed 4 years ago
danb35
commented
4 years ago Interesting. I don't mind this in principle, but I don't find any documentation on using this flag in a Caddyfile--the Caddy docs, well, aren't very well organized. Can this be done in the Caddyfile, or can the flag only be added as a command-line argument when initially launching Caddy?
PrivatePuffin
commented
4 years ago Its only a launch flag (sadly enough), because it's daemon wide. Note tested it, setting the flag in the rc.d script worked out fine for me ;)
danb35
commented
4 years ago I'm using the rc file from the FreeBSD package, and am not inclined to change it.
PrivatePuffin
commented
4 years ago Shame, as Caddy is never going to support this in their upstream rc file.
danb35
commented
4 years ago Caddy v2 supports this as a Caddyfile option, and it's enabled and documented in the caddyv2 branch.
Some reverse proxy configs do not play nice with SNI (or would take config changes to work nice with SNI). Simply put, under some reverse proxies (OPNSENSE, nginx for example) it fails under default settings due to SNI failure. Normally one would solve this by fixing their proxy config.
However, because the caddy server for this project just serves Nextcloud and Nextcloud only, I suggest setting the
default-sniflag on caddy. This ensures SSL request without (propper) SNI tag get the same certificate as requests that do.This would be a security issue when hosting multiple sites, but with just nextcloud there is barely any risk. SNI is simply not required on single-ip, single-site setups like this.