How to implement mutual-TLS?

1. Caddy version (caddy version):

I am using the latest version, Caddy 2.x, freshly downloaded from github.

2. How I run Caddy:

caddy run

a. System environment:

MacOS 10.14.6

b. Command:

caddy run

d. My complete Caddyfile or JSON config:

# Caddyfile
localhost {
	reverse_proxy localhost:9000

3. The problem I’m having:

How do I implement and enforce mutual-TLS?

Caddy already enforces HTTPS for server authentication. That half is working fine. But how do I enforce mutual-TLS for client authentication?

In my configuration, Caddy is acting as a reverse-proxy, for my custom back-end REST-API server written in Go.

Do I need to implement the client authentication in my own server ?? If yes, then I would appreciate pointers to example code.

Can Caddy do the client authentication for me ?? If this is possible, I would appreciate pointers to example code and/or configuration examples.

4. Error messages and/or full log output:

This isn’t working yet, so there are no error messages.

5. What I already tried:

I was not able to find any online examples or documentation that show how to make mutual-TLS work with Caddy.

6. Links to relevant resources:

The reverse_proxy directive’s HTTP transport options have the TLS options you need:

In addition to that though, Caddy can act as an ACME CA for mTLS if your backends support ACME:

If you mean client auth for incoming connections rather than when Caddy acts as a client to a proxy, then the tls directive has configuration for client auth:

1 Like

I was asking about the remote clients and incoming connections, rather than the connection between Caddy and the back-end server (though it’s nice to know you can use mTLS for that too).

It looks like I need to use tls and client_auth require_and_verify.


1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.