Hey all,
I built **Hostyt Proxy Gateway**, an open-source control panel for managing a fleet of Caddy reverse-proxy nodes.
The main Caddy-specific problem I wanted to solve was remote fleet management without exposing the Admin API. The manager talks to every Caddy node over a WireGuard mesh, so `:2019` stays bound to the private tunnel instead of the public internet.
A few Caddy-related pieces:
- On-Demand TLS with an `/internal/ask` allowlist gate before certificates are issued
- Caddy config is generated in JSON mode from the database as the source of truth
- One-command node join flow that provisions WireGuard + Docker + Caddy on a new VPS
- Optional custom `xcaddy` builds with modules like rate limiting, Coraza WAF, DNS providers, and layer 4 support
- Multi-tenant client portal where users can map domains to backend ports from an admin-defined range
Stack is Go, chi, MariaDB, Redis, Caddy 2.8, WireGuard, and Docker Compose. The project is MIT licensed.
I’d especially appreciate feedback from Caddy users on the `/internal/ask` flow and the way the manager keeps Caddy JSON config rebuildable from the DB.
Disclosure: I used an AI assistant to help draft this forum post; the project is my own open-source work.