- Published on
Transitioning to On-Demand TLS
- Authors
- Name
- Alex Lee
- @alexjoelee
We've transitioned to exclusively using on-demand TLS for all sites on our network here at Skip2. In this article, we'll take a look at what this means and how it will impact our network operations.
Background
Skip2 uses Caddy Web Server as a reliable edge reverse proxy. We run Caddy instances on all of our servers in all of our PoPs and use them to serve traffic. This includes managing SSL (TLS) Certificates. Caddy has automatic HTTPS by default, but what about when you need to serve tens of thousands of domains with Caddy?
On-Demand TLS is the Solution
Caddy has pioneered this technology which dynamically obtains a new certificate during the first TLS handshake that requires it, rather than at configuration load. This also doesn't require us to hard-code domain names into our configurations, opening up the door for us to build more features like deployment previews and static build domains.
How Does It Work?
The first time you visit your site when using on-demand TLS, you'll have to wait for 30 seconds or so. From the time that you press "enter" on the URL to the time the page snaps in, Caddy has generated a Certificate Signing Request (CSR), sent it to one of our CAs, downloaded the production certificate to our centralized storage, and then used it to terminate your connection and serve your site.
Benefit To Us
It's no secret that we've had some issues managing our TLS certificates in the past. Crucially, our issues stem from an excess of requests and file locks on our backend S3 certificate storage. Using on-demand TLS eliminates our issue and allows us to scale more easily.
Benefit To You
Well, first of all, I think TLS is pretty important for a CDN to be good at. This should also decrease overall certificate provisioning times. It'll also make it easier for you to migrate your sites to and from our platform without being removed for inactivity.