What’s the best way to reverse proxy to different hosts with an own ip address?
Currently, I am simply reverse proxying to the host via https and hence terminating with a valid cert on the caddy server. Then it creates a https connection to the host where a second termination with a self-signed cert happens, so that passwords are not sent in clear text over the network.
I was thinking of specifying the self-signed cert in the caddy file so that the identity can be confirmed. How would I do that or would you recommend a different way?
You’re definitely doing it what I’d consider the “normal” way already.
What exactly do you mean by specifying the self-signed cert in the Caddyfile? Wouldn’t this be a detriment as the certificate would be untrusted by default for just about every client?
If you’re talking about TLS passthrough (i.e. having Caddy not terminate TLS and instead pass the connection through entirely to the upstream server so the client negotiates directly with the upstream for HTTPS), that’s not something that Caddy’s HTTP server can handle. HTTP is layer 7, passing through a TCP stream needs to be done by a TCP server (layer 4). Matt Holt’s project Conncept can do this, though: GitHub - mholt/conncept: Project Conncept: A layer 4 app for Caddy that multiplexes raw TCP/UDP streams
My main intent was to verify the certificate on the caddy host, so that the server identity could theoretically not change.
And according to the documentation the usage of this feature is not safe and may be removed in the future.
That’s mainly why I am asking about this.
Hmm, the doc you linked is for insecure_skip_verify which explicitly does not verify the server certificate.
It does seem to warn that it may be removed, but I personally doubt very much it will be any time soon. Having self-signed upstreams is just a far too common use case, unfortunately. Either way, it’ll be deprecated well in advance of removal (i.e. discouraged but still available).