How to configure in Caddy to disable the certificate on port 443 and only enable SNI checking??

In k8s, using Traefik, I can easily achieve the following functionality: while doing TCP connection reverse proxy, it also checks if the SNI meets the expectations. This situation is suitable for letting the backend of the reverse proxy handle the TLS instead of processing it at Caddy:

apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: sb-cc
  namespace: default
spec:
  entryPoints:
    - webs
  routes:
    - match: HostSNI(`server.cloudcone.net`)
      services:
        - name: sb-cc
          port: p-0

However, in Caddy, configuring the Caddyfile is not enough to simply achieve this operation. As far as I know, one can only disable auto_https and then separately configure for each domain, which no doubt increases the complexity of the configuration. Alternatively, one can use JSON for configuration, but the outrageous and extremely complicated JSON format of Caddy makes migrating from Caddyfile to JSON format a great hardship.
Thus, is there any easy and practical method for TCP proxy and SNI checking?

You’re looking for a TCP-layer proxy. Caddy’s standard distribution is only an HTTP server, so it can only terminate TLS and not do pass-through.

For that, you can use GitHub - mholt/caddy-l4: Layer 4 (TCP/UDP) app for Caddy which is a plugin that adds a TCP server/proxy to Caddy. But it only has JSON config support at this time (no Caddyfile support yet).

We plan to add Caddyfile support and move it to be built-in to Caddy at some point in the future, but it’s a time consuming task and lower on our priority list at the moment. Hopefully at the end of 2024 or next year.

1 Like