Building Multi-Tenant SaaS with Rails 8, Caddy, and Kamal

After publishing the Kamal deployment guide, the most common question was: "How do I handle multiple tenant domains with automatic SSL?" kamal-proxy can't do it — every new domain means editing deploy.yml and redeploying. So I wrote a guide that solves it end-to-end. What it covers: Why kamal-proxy's SSL doesn't scale for multi-tenant apps Running Caddy as a Kamal accessory for on-demand TLS The /internal/tls/verify endpoint — Caddy asks Rails before issuing any cert Subdomain data model, validation, and auto-generation Constraint-based routing (TenantConstraint / MainConstraint) Resolving the current tenant from the request hostname Custom domain model with DNS instructions for users Full Caddyfile and deploy.yml configuration Why config.hosts.clear is safe when Caddy gates traffic The architecture is based on a real production app (Dinehere — AI restaurant website builder) where each tenant gets a subdomain and can connect their own domain. This is Part 2 of the series. Part 1: The C