Best way to reverse proxy to self-signed https server

Hey again,

What’s the best way to reverse proxy to different hosts with an own ip address?

Currently, I am simply reverse proxying to the host via https and hence terminating with a valid cert on the caddy server. Then it creates a https connection to the host where a second termination with a self-signed cert happens, so that passwords are not sent in clear text over the network.

This is how I my Caddyfile: {
        reverse_proxy https://192.168.x.x:port {
                transport http {

I was thinking of specifying the self-signed cert in the caddy file so that the identity can be confirmed. How would I do that or would you recommend a different way?

Thanks in advance!

Howdy @pwned,

You’re definitely doing it what I’d consider the “normal” way already.

What exactly do you mean by specifying the self-signed cert in the Caddyfile? Wouldn’t this be a detriment as the certificate would be untrusted by default for just about every client?

You could have Caddy issue its own locally-trusted, self-signed certificates with tls internal if you wanted to: tls (Caddyfile directive) — Caddy Documentation

If you’re talking about TLS passthrough (i.e. having Caddy not terminate TLS and instead pass the connection through entirely to the upstream server so the client negotiates directly with the upstream for HTTPS), that’s not something that Caddy’s HTTP server can handle. HTTP is layer 7, passing through a TCP stream needs to be done by a TCP server (layer 4). Matt Holt’s project Conncept can do this, though: GitHub - mholt/conncept: Project Conncept: A layer 4 app for Caddy that multiplexes raw TCP/UDP streams

Hey @Whitestrake!

My main intent was to verify the certificate on the caddy host, so that the server identity could theoretically not change.
And according to the documentation the usage of this feature is not safe and may be removed in the future.
That’s mainly why I am asking about this.


Hmm, the doc you linked is for insecure_skip_verify which explicitly does not verify the server certificate.

It does seem to warn that it may be removed, but I personally doubt very much it will be any time soon. Having self-signed upstreams is just a far too common use case, unfortunately. Either way, it’ll be deprecated well in advance of removal (i.e. discouraged but still available).

It might be removed later because disabling security is not how to use self signed certificates. Caddy has other mechanisms to properly trust a CA.

This topic was automatically closed after 30 days. New replies are no longer allowed.