Caddy TLS On-Demand: Dynamic HTTPS with Let’s Encrypt

Sébastien Puyet

Sébastien Puyet

2 min read
Caddy TLS On-Demand: Dynamic HTTPS with Let’s Encrypt

What Is TLS On-Demand in Caddy?

Caddy is famous for making HTTPS easy. Normally, you pre-configure domains, and Caddy automatically fetches and renews certificates from Let’s Encrypt or ZeroSSL.

But what if you don’t know all the domains in advance?

That’s where TLS On-Demand comes in. Instead of requiring you to list every hostname up front, Caddy can request a TLS certificate the moment a client connects.

This is especially useful for:

  • SaaS platforms where customers bring their own domains
  • Multi-tenant apps with dynamic subdomains
  • Hosting providers that serve new domains without manual setup

How TLS On-Demand Works

  1. A client connects to example.com for the first time.
  2. Caddy checks for a cached certificate.
  3. If none exists, Caddy requests one from Let’s Encrypt (or ZeroSSL).
  4. The certificate is stored locally and automatically renewed before expiry.
  5. Future requests serve the cached certificate instantly.

👉 This means no manual certbot scripts or messy cron jobs.

Example Caddyfile Configuration

Here’s a simple configuration with on-demand TLS enabled:

{
    on_demand_tls {
        ask https://your-api.example.com/check-domain
        interval 2m
        burst 5
    }
}

:443 {
    tls {
        on_demand
    }
    reverse_proxy localhost:8080
}

Explanation:

  • on_demand_tls (global option) enables the feature.
  • ask lets you control which domains are allowed by checking against your API.
  • interval and burst provide rate-limiting to prevent abuse.
  • The site block :443 accepts any domain pointing to the server.
  • Certificates are requested dynamically and then cached for reuse.

Security Best Practices

TLS On-Demand is powerful but can be abused if left open. For example, attackers could point thousands of random domains at your server, exhausting rate limits.

Setting up server alerts for downtime detection ensures you're notified immediately if certificate failures cause service disruptions.

To stay safe:

  • ✅ Use the ask directive to validate customer domains against your database.
  • ✅ Configure interval and burst to limit certificate requests.
  • ✅ Monitor your certificate logs for unexpected domains.
  • ✅ Keep Caddy updated to benefit from the latest security patches.

Real-World Use Cases

  • Multi-tenant SaaS: Customers get HTTPS automatically on their own domain.
  • Dynamic subdomains: Services like user123.example.com are secured instantly.
  • Reverse proxies: Hosting arbitrary customer domains without manual certs.
  • Self-hosted services: Developers deploying new apps on the fly.

If you're running Caddy in front of Docker, pair it with Docker container monitoring to track each service behind the proxy.

FAQ: TLS On-Demand in Caddy

Q: What is TLS On-Demand in Caddy?
A: It’s a feature where Caddy requests TLS certificates at the moment a client connects, instead of requiring preconfigured domains.

Q: Is TLS On-Demand safe?
A: Yes, as long as you use safeguards like ask validation and rate-limiting to prevent abuse.

Q: How is Caddy different from Nginx or Apache for HTTPS?
A: Unlike Nginx or Apache, which require manual certificate setup (or external tools like Certbot), Caddy handles certificate issuance, renewal, and even on-demand provisioning automatically.

Key Takeaways

  • TLS On-Demand is ideal for SaaS and dynamic hosting scenarios.
  • Always configure security checks to avoid abuse.
  • With just a few lines of configuration, you can enable automatic HTTPS at scale.

📌 By optimizing your Caddy setup with TLS On-Demand, you eliminate certificate headaches and deliver secure connections to every domain, automatically.

To ensure your Caddy server stays healthy beyond just TLS, set up monitoring your Linux servers to track resource usage and uptime.

Read more