Can caddy forward SSH traffic over port 443?

I’d like to be able to SSH into my server from time-to-time from work but the only port open is 443. Can I set up caddy server to route traffic from SSH (22) to 443 using net?

I saw the caddy-net and think that might work but I’m unsure on how to set it up.

Hi @dinki,

Caddy’s HTTP(S) server can’t do this - different protocol. Caddy’s net server type can proxy raw TCP traffic, though - so you could sit Caddy at the edge and forward all port 443 traffic to port 22 on your machine. It’d be equivalent to running your SSH server directly on the edge at port 443.

To set it up, download Caddy from Download Caddy, selecting the net server type from the bottom of the plugins list (under the “Server Types” header).

Use a Caddyfile like the examples given in the plugin’s documentation:

I think a simple proxy :443 [SSH-HOST]:22 is correct. Lastly, don’t forget to add the -type=net flag when you run Caddy.

So all traffic going to 443 for that subdomain will go to 22 or does that mean all traffic on the machine going to 443 will go to 22? The later won’t do me much good.

Perhaps I misunderstood - you said the only open port is port 443, and you want to make SSH available on this port?

proxy :443 [SSH-HOST]:22 should receive traffic on the open port (443) and forward it to port 22 on [SSH-HOST].

That means that externally you’ll connect over port 443, but the machine on the inside of your network will be using the standard port. If you need it the other way 'round, just swap the ports.

I’m sure I was not clear. Apologies. What I should have said is that I want to have a bunch of subdomains that program forward to different web apps but in addition I would like a subdomain that points to my ssh.

I have ‘shell in a box’ set up but I want able to reverse proxy to it. This is how I’m trying in my Caddyfile: {
        tls {
                dns cloudflare
        proxy /  localhost:4200 {

When I try to connect I get:

502 Bad Gateway

‘Shell in a box’ is baked in to OpenMediaVault so I’m not certain of it’s origin but I think it’s from here Google Code Archive - Long-term storage for Google Code Project Hosting.

To route SSH to one endpoint and HTTP(S) to another, Caddy would have to recognize and expect both protocols on the same port. It’s not designed to handle SSH at all, so Caddy is not going to be the right choice to multiplex SSH and HTTP(S), I’m afraid.

That said, shellinabox is not SSH - it’s a web server (looks like we had a classic case of XY Problem), so you should be able to proxy to it. To find out why Caddy can’t talk to it, try running curl -IL localhost:4200 on your Caddy host and let us know what comes back.

curl -IL localhost:4200
curl: (52) Empty reply from server

When I log in local I get a ‘This site is not secure’ message but it allows me to proceed. Not sure if that’s the problem.

This error might be because shellinabox is serving HTTPS on that port, not HTTP.

Try with curl -kIL https://localhost:4200/. If that works, you’ll need to make a few modifications to the Caddyfile.

 curl -kIL https://localhost:4200/
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 5215

Looks like it worked. Thanks again for helping!

EDIT by it worked I meant that the curl command worked… Not sure how to proceed.

1 Like

Hi @Whitestrake . Just checking in. Did what I post give a clue as to what I should do to get this working? Thanks again…

Change your proxy upstream from localhost:4200 to https://localhost:4200, then reload Caddy.

Since cURL works with HTTPS, but not HTTP, the same must be true of Caddy.

Unfortunately this did not work. I’m getting the ‘502 Bad Gateway’ when I try this. I can get to the page from another machine on my network using https://ipaddress:4200 … It does complain that it’s insecure but I can continue onto Shell in the Box.

Ahh. Add the insecure_skip_verify subdirective to your proxy. Caddy is trying to validate the upstream server’s certificate and can’t - this tells Caddy to ignore that problem.


Absolutely perfect!! Thank you!

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.