Disabling strict SNI-Host checking when using TLS client auth

1. Caddy version (caddy version):

v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=

2. How I run Caddy:

a. System environment:

Official docker container

b. Command:

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

    auto_https off
    default_sni localhost

:8000 {

    tls server.crt server.key {
        client_auth {
            mode                  request
            trusted_ca_cert_file  ca.crt

    @websockets {
            header Connection *Upgrade*
            header Upgrade    websocket

    # to rtpengine
    reverse_proxy @websockets

    reverse_proxy /api/*

3. The problem I’m having:

I want to use Caddy for mutual TLS auth for components which do not have DNS names (on an internal network). This is apparently causing issues with strict SNI host checking when clients access caddy via https urls that only have IP addresses. The result is a 403 response when using an IP address. I need to disable this strict SNI checking and I know the dangers involved.

4. Error messages and/or full log output:

No errors but this tipped me off:
{"level":"info","ts":1619472260.329402,"logger":"http","msg":"enabling strict SNI-Host matching because TLS client auth is configured","server_name":"srv0"}

5. What I already tried:

Tried setting default_sni to localhost, ip addresses etc.
Read the code and found this: line of code which implies that if I manage to set strict_sni_host to false, it would not be flipped on by client auth. But the Caddyfile does not allow to set it as true or false explicitly. Do I need to rewrite my config in JSON or YAML for this?

6. Links to relevant resources:

After hitting my head at a wall for a day, I gave up on Caddy for this and went with ghostunnel to front the websocket server… if this is resolved later I will surely switch back.

This topic was automatically closed after 30 days. New replies are no longer allowed.