Adding caddy to a runnng apache server

I found caddy from trying letsencrypt clients, and it sounds excellent! However, I need to know if I can start gently running caddy behind an apache front end. I have it on my single server and it is currently running about 10 vhosts, each with separate tls certs. All current sites are strict https-only.

If I use dns validation, can I also use auto-cert management with a virgin site and a suitable http proxy statement in the apache config?

Also, would I be able to have more than caddy instance running or how would I run multiple new vhosts under the single caddy instance?

Yes, this will work fine. You could possibly even use regular validation (well-known URI challenge) - as long as Apache is faithfully proxying the entire domain to Caddy (or at least /.well-known.)

That’s one way to do it, but probably not the easiest… Have a look at the Caddyfile documentation, which supports multiple vhosts - you can edit your Caddyfile while Caddy is live, and then tell Caddy to reload configuration with a USR1 signal to add or remove vhosts with no downtime.

I’m a fan of the import directive myself, in the form of import /etc/caddy/vhosts/*.caddy and I symlink/copy in individual domain vhosts as files (kind of how Apache enable/disable their sites).

1 Like

Thanks, Matthew, but doesn’t the well-known method require http vs https? How does that work with caddy’s tls-only management?

Caddy shouldn’t have any problem solving TLS-SNI-01 challenges over port :443 as long as that’s forwarded, I think.

Under my current circumstances I think I wll try https caddy, behind apache, but without auto-cert management for a while (I’ll generate them or renew them the standalone way with another letsencrypt client and copy them into their final location as needed).

How do I turn off auto-tls?

There’s a list of criteria which must all be true for Caddy to enable Automatic HTTPS - you can see the list here. Breaking any of those conditions will stop Caddy from automatically managing your certificates.

You can switch off tls with

tls off

in your server block eg {
   tls off


You do need to specify :80 or another port otherwise site will be served on :2015

If you are using LetsEncrypt anyway and caddy can have access to :443 then you should use (or at least try out) caddy auto-tls , its like magic!

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.