Caddy TLS session reverse proxied by non-TLS Caddy

1. Caddy version:


2. How I installed, and run Caddy:


a. System environment:

Ubuntu 22.04 x64

b. Command:


c. Service/unit/compose file:


d. My complete Caddy config:


3. The problem I’m having:

I have more of a general question about an exotic Caddy configuration I’m looking into implementing.

I have a Caddy server on a public IP (external server), and I’d like it to reverse-proxy other internal IPs, also running Caddy (internal servers). Typically, this means using the external server to generate TLS certicates for each connection. However, I would like to generate the certificates on the internal servers if possible, and reverse-proxy their TLS sessions without terminating them at the external server.

As far as actually generating the certs, I think this can be done with DNS-01 challenges (TXT records) even if the internal servers are not directly connectable by IP by 0SSL/LE, though this is admittedly still in the thought experiment stage. Assuming this is doable, how would the Caddy configuration on the external server look? Is this even possible?

The crucial detail is that the TLS sessions is terminated at the internal server, not the external server – I want to eliminate the possibility of surveillance of sessions by the external server.

So, is this possible?

4. Error messages and/or full log output:

5. What I already tried:

6. Links to relevant resources:

For that, you’d want a TCP/UDP proxy, instead of an HTTP proxy.

You might want to use GitHub - mholt/caddy-l4: Layer 4 (TCP/UDP) app for Caddy for this.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.