Same domain in different swarm services of a stack

[pwFoo]

Hi, I payed a round with some configs, but have different problems.

I try to...

1. use one domain for a stack with 3 services (/*, /api/* and /ide/*)
2. secure the /ide/* part with a client cert auth (works only global for all services?!)

Tested container labels for each service with handle_path, route and matcher.

Additional question... is it possible to use <serviceName> <port> instead of {{upstreams <port>}}? Maybe it would be possible to bind all labels to one service and build it that way...

[francislavoie]

TLS client certs are checked at TLS handshake time, before the HTTP routes are executed (and before the server even sees the request path). So it's not possible to limit client certs to only certain request paths.

You could set client auth to "verify_if_given" which would not reject connections if not authenticated, then use an expression matcher + tls client cert placeholders to check if given, but that's complicated.

Additional question... is it possible to use instead of {{upstreams }}?

I don't understand the question.

[pwFoo]

Ok, so keep it simpler I just use another subdomain for that.

Also had some trouble with the default /* with redirect loops. Would a simple caddy block work as "default" or is something special to do?

default = Docker stack service "web"

    labels:
      caddy: "<DOMAIN>"
      caddy.reverse_proxy: "{{upstreams 80}}"

Tried with route too, but not working

      caddy: "<DOMAIN>" 
      caddy.route: "/*"
      caddy.route.0_reverse_proxy: "{{upstreams 8080}}"

Docker stack service "api" sub path (written from mind...)

      caddy: "<DOMAIN>" // <- same as above!
      caddy.route: "/api/*"
      caddy.route.1_uri: "strip_prefix /api"
      caddy.route.1_reverse_proxy: "{{upstreams 8080}}"

Alternative tested with handle_path

Additional question is, if I can use docker service name like "api" instead of the placeholder {{ upstreams 8080}}, but wouldn't the best way to redirect / proxy to another container / service in that stack.

[francislavoie]

What do you mean by "not working"? That means nothing. Please be specific about the problem you've having. I don't understand the problem. Show example requests with curl -v, show your logs, etc.

Additional question is, if I can use docker service name like "api" instead of the placeholder {{ upstreams 8080}}, but wouldn't the best way to redirect / proxy to another container / service in that stack.

You can do reverse_proxy api:8080 as you would normally without CDP.

[pwFoo]

Thanks for helping with some hints! I'll do some more tests and come back with more details!

[pwFoo]

The TLS client question has been answered. Running the other Part 2 services on the same domain is therefore less relevant, which is why I am putting this on hold for now and closing the issue. Many thanks for the information!