ArjunJan 17

One of the harder problems I solved in my open source PaaS was proximity steering.

Basically load balancing so users get routed to the physically closest server with least latency.

My goal: any node can become a proxy, terminate TLS for any service, and route to available servers. Always hitting the nearest server.

Since I couldn't afford Anycast / BGP, I went with GeoDNS. DNS always resolves to nearest server, but there was a big problem: ACME challenges.

Show threadArjunJan 17

When a proxy server tries to generate SSL certificates, the HTTP-01 ACME challenge needs to hit the correct server. With GeoDNS routing users everywhere, this couldn't be done reliably.

The solution: Central ACME.

Show threadArjun
Instead of each proxy creating its own certificate, I delegate to the control plane. When a custom domain is added, the control plane triggers certificate generation. Any challenge request hitting the domain (could be any server in the fleet) gets rewritten by the proxy to the control plane. So any server can handle any challenge. Once ready, the generated certificate syncs to every server.
Jan 17 at 10:54amTypefully
Show threadArjunJan 17

This needed perfect coordination between control plane, Traefik proxy, and server agents for certificate sync.

I tested this setup with BunnyDNS across 4 regions (US, Singapore, Europe, Sydney) and it has worked really well so far!

Now when I deploy a service, I replicate to every region. The agent, proxy, and control plane handle the rest.