diff --git a/lib/kamal/configuration/proxy.rb b/lib/kamal/configuration/proxy.rb index cc7ed3be7..7d46fdf9f 100644 --- a/lib/kamal/configuration/proxy.rb +++ b/lib/kamal/configuration/proxy.rb @@ -22,6 +22,10 @@ def ssl? proxy_config.fetch("ssl", false) end + def custom_tls_certificate? + proxy_config["ssl_certificate_path"].present? + end + def hosts proxy_config["hosts"] || proxy_config["host"]&.split(",") || [] end diff --git a/lib/kamal/configuration/role.rb b/lib/kamal/configuration/role.rb index 708e77fc2..372a3165b 100644 --- a/lib/kamal/configuration/role.rb +++ b/lib/kamal/configuration/role.rb @@ -150,8 +150,8 @@ def asset_volume_directory(version = config.version) end def ensure_one_host_for_ssl - if running_proxy? && proxy.ssl? && hosts.size > 1 - raise Kamal::ConfigurationError, "SSL is only supported on a single server, found #{hosts.size} servers for role #{name}" + if running_proxy? && proxy.ssl? && hosts.size > 1 && !proxy.custom_tls_certificate? + raise Kamal::ConfigurationError, "SSL is only supported on a single server or with custom SSL certificates, found #{hosts.size} servers for role #{name}" end end diff --git a/test/configuration_test.rb b/test/configuration_test.rb index c1aaa6971..236e49cef 100644 --- a/test/configuration_test.rb +++ b/test/configuration_test.rb @@ -371,7 +371,16 @@ class ConfigurationTest < ActiveSupport::TestCase Kamal::Configuration.new(@deploy_with_roles) end - assert_equal "SSL is only supported on a single server, found 2 servers for role workers", exception.message + assert_equal "SSL is only supported on a single server or with custom SSL certificates, found 2 servers for role workers", exception.message + end + + test "proxy ssl roles with multiple servers and a custom SSL certificate" do + @deploy_with_roles[:servers]["workers"]["proxy"] = { "ssl" => true, "host" => "foo.example.com", "ssl_certificate_path" => "/path/to/cert.pem", "ssl_private_key_path" => "/path/to/key.pem" } + + config = Kamal::Configuration.new(@deploy_with_roles) + + assert config.role(:workers).running_proxy? + assert config.role(:workers).ssl? end test "two proxy ssl roles with same host" do