Yes that’s true
I don’t see where you configured the DNS challenge in your config, and you haven’t installed a plugin that would allow you to use the DNS challenge.
I’m not sure what you mean by this.
Yeah, the caddy-l4 plugin can do this:
HTTP 1.1 isn’t actually slow in server to server scenarios like proxying. Connections are kept open and reused, so the overhead is not very high.
Are you running untrusted code on that machine? Cause if so, it’s already game-over.
Once the first Caddy instance handles the request, the connection is all within the docker network, so the only way something could intercept it is if it’s running as root on the host machine (or as a user with access to the docker network), pretty sure.