Here, I think you’re talking about the upstream server. That’s not the same thing.
The --from
is the address Caddy listens on. The --to
is the upstream’s address.
Caddy is HTTPS by default for the “from” address. But the proxy is HTTP by default (because typically services are within your network, and encryption is no longer needed since you’re in a trusted network).
Caddy will be issuing its own certificate for localhost
, using its internal CA (similar to mkcert, except it’s built into Caddy and it’s automated). Caddy will attempt to install the root certificate of its CA to your system’s trust store, but that may fail. And if you’re making requests from other machines, you’d need to install the root CA cert to those machines manually, to establish trust.
If you want to proxy over HTTPS, you need to use https://
for the upstream address. But also, keep in mind that the upstream server might have Host
header matching, so you may need to override the Host
header as well to make it connect correctly. See the docs: reverse_proxy (Caddyfile directive) — Caddy Documentation
There’s a few things wrong here.
First, you didn’t specify a domain name, so Caddy won’t be able to automatically issue a certificate (as I explained above). If you specified localhost:5043
instead, it would do so.
For the proxy, keep in mind that your /sse
matcher will only match exactly /sse
and not /sse/foo
. Path matching is exact in Caddy. You might want /sse*
if different paths may be used. You probably don’t need the path matcher at all though, if this is all you’re serving on this site.
Also, you cannot specify a path in the upstream address. It must be just a host and port, with an optional scheme. If you need to change the path prefix, then you should use a rewrite
. But I don’t think you need that here.
All that said, I don’t think you need the complexity of serving your upstream app over HTTPS, since Caddy will terminate TLS to the client. If you do HTTPS to Caddy, then HTTPS to the upstream, that’s actually two separate TLS connections, not just one. Since the upstream is running on the same machine, there’s no real benefit to that, it’s just more overhead.