TL;DR: I am trying to setup SSH over HTTPS and don’t know how to do so with Caddy. This can be done with Apache, but I have a caddy setup. VPNs are not an option. Can someone point me in the right direction?
If you want to have the first proxy connect to another http proxy (like one you can control, specify -r proxy2:port. The first proxy will then connect to this remote proxy, which will be asked to connect to the requested destination. Note that authentication doesn’t (yet) work on this remote proxy. For more information regarding this feature, check out http://dag.wieers.com/howto/ssh-http-tunneling/
If your proxy is more advanced, and does protocol inspection it will detect that your connection is not a real HTTPS/SSL connection. You can enable SSL encryption (using -e), which will work around this problem, however, you need to setup stunnel4 on the other side, or connect to a process that understands SSL itself.
The core of the question: How can Caddy be instructed to forward an SSH connection and apply its own SSL encryption?
In that case Caddy does not apply its own encryption and I would need to implement it myself using Caddy’s certificates, which is a headache and a half. Do I understand that correctly? At this point it might make sense to go the Apache route and reverse-proxy Apache maybe?
No, it does. Caddy would automate TLS cert issuance and terminate TLS which means it would encrypt from between the client and Caddy, and then send the TLS-decrypted TCP bytes to whatever upstream server you want.
But the client would need to know how to wrap its traffic with a TLS layer, and I don’t know if that’s the case for what you’re trying to do.
Probably. You can use xcaddy to build Caddy with the plugin. Maybe something like xcaddy build --with github.com/caddyserver/forwardproxy@caddy2
First of all, thanks for the mail you sent to the nixpkgs Caddy maintainers a few hours ago.
There is however a misunderstanding how versioning (usually) works in nixpkgs.
You are on the 23.05 stable channel.
Stable channels, unlike the unstable channel, do not receive breaking updates in their lifecycle (with the exception of extremely security critical things like browsers). 23.05 will be EOL in around two months time, with 23.11 getting released end of next month.
Because the bump from 2.6.4 → 2.7.x had breaking changes, we (the nixpkgs maintainers) decided against backporting it from unstable to 23.05 (stable).
There are, as mentioned above, exceptions to this. 2.7.5 contained a fix for the HTTP/2 rapid reset issue.
Given it’s only low to medium severity in combination to it being unlikely to be exploited on most instances and the ease of simply using the Caddy package provided from the nixpkgs unstable channel, I decided against backporting it.
2.6.4 is the latest version in the stable (non-breaking) 23.05 channel. 2.7.5 is the latest version in the unstable (breaking) unstable channel.