Automatic certificates per host about armor HOT 7 OPEN

What was the behavior you saw? Did you get certificates for all your hosts?

We can add a flag to disable auto TLS in host object? What are you thoughts?

from armor.

I use Armor as proxy for few web sites in my local network.
For 2 web sites, one on Apache, and one on Node.js, I am using auto TLS, and this is OK. But I have also one web site on IIS, which already have TLS certificate. Now, I was thinking, it would be nice, when Armor would only redirect incoming https requests to IIS, without to issue new TLS certificate.
So I think, new flag "no_tls" : true per host settings would resolve this issue.

from armor.

@dkeza We can add a flag to not pull a certificate automatically for any host but then what certificate will you use for your domain which proxies to IIS. The certificate should be known to Armor for this domain. I am not sure if you mean that you don't want to use HTTPS for this domain, so if that's the case you can directly send HTTP traffic to that domain?

from armor.

I will try to explain what I have on mind, I am not sure if this is common practice.
When I have one domain example.no-ip.com, and I have Armor as reverse proxy, I wish that https requests to example.no-ip.com are handled by Armor, and that Armor just redirects/forwards that request as https request to IIS server in local network on IP address 192.168.1.100. On IIS server I have already installed valid TLS certificate for domain example.no-ip.com
I don't wish that Armor uses TLS certificate for example.no-ip.com domain, I wish that he only forwards https requests to 192.168.1.100 in local network.
For other domains defined in config.json for Armor, I wish that Armor uses/issues TLS certificates from cache_tls file, and that then forwards https requests as http to ip addresses in local network.

from armor.

For Armor to handle your example.no-ip.com's https requests it needs valid certificates as Armor faces the internet. You have a couple of choices:

1. Rely on Armor to generate certificate and proxy https request to your internal IIS server (It should use your certificate internally)
2. If you certificates are valid and signed by CA, copy and use them in the config.json for this domain

Let me know your thoughts

from armor.

OK, you are right, I let Armor issue TLS certificate also for my IIS website.
How Armor knows when should he get new certificate from Letsencrypt?

from armor.

If auto TLS is on and you haven't specified any certificates for a host then Armor will try to provision them from LetsEncrypt and also keep a track of renewing it.

from armor.