Building Multi-Tenant SaaS with Rails 8, Caddy, and Kamal

After publishing the Kamal deployment guide, the most common question was: "How do I handle multiple tenant domains with automatic SSL?"

kamal-proxy can't do it — every new domain means editing deploy.yml and redeploying. So I wrote a guide that solves it end-to-end.

What it covers:

• Why kamal-proxy's SSL doesn't scale for multi-tenant apps
• Running Caddy as a Kamal accessory for on-demand TLS
• The /internal/tls/verify endpoint — Caddy asks Rails before issuing any cert
• Subdomain data model, validation, and auto-generation
• Constraint-based routing (TenantConstraint / MainConstraint)
• Resolving the current tenant from the request hostname
• Custom domain model with DNS instructions for users
• Full Caddyfile and deploy.yml configuration
• Why config.hosts.clear is safe when Caddy gates traffic

The architecture is based on a real production app (Dinehere — AI restaurant website builder) where each tenant gets a subdomain and can connect their own domain.

This is Part 2 of the series. Part 1: The Complete Guide to Deploying Rails 8 with Kamal on Hetzner