Looking closer at the logs, I’m seeing that "server_name":"" and "sni":"". So it doesn’t look like any SNI is being passed from system 1, which is starting to make sense.
Reading this got me to tls_server_name which got me to explicitly pass on the SNI to system 2. All good! TLS proxying between system 1 and system 2 is working. Now on to getting proper certs.
server 1 Caddyfile:
{
debug
}
(defaults) {
tls {
dns cloudflare {env.CF_API_TOKEN}
}
}
tv.l.example.com {
reverse_proxy 172.16.1.51:8096
import defaults
}
dl.l.example.com {
reverse_proxy https://172.16.1.50 {
transport http {
tls_server_name {host}
tls
tls_insecure_skip_verify
}
}
import defaults
}
New question:
Is there any way to use the same Lets Encrypt cert (that system 1 negotiates automatically) for the connection between system 1 and 2, since the SNI is the same? Any way to share these certs between caddy instances that’s in-built?
If not, I will probably use tls_dns_cloudflare on server 2 to simplify valid cert management.