1. The problem I’m having:
Hi Caddy community,
I’m trying to set up OpenCloud behind Caddy as a Layer 4 reverse proxy but running into ACME certificate conflicts that break my other services.
I want to deploy OpenCloud with minimal configuration changes to the upstream project. OpenCloud comes with its own docker-compose setup that includes Traefik for SSL termination and routing to various services (Collabora Office, etc.).
My goal: Use Caddy as a frontend Layer 4 proxy to route OpenCloud traffic to the existing Traefik setup, while keeping my other services working with Caddy’s automatic HTTPS.
OpenCloud’s Traefik should manage its own certificates for *.cloud.mydomain.com.
2. Error messages
When I use auto_https off globally to prevent Caddy from interfering with OpenCloud’s Traefik ACME challenges, OpenCloud works fine. But my other Layer 7 sites lose automatic HTTPS and become unreachable.
Without auto_https off, Caddy interferes with OpenCloud’s Traefik HTTP challenge, which causes the issuance of the certificate to fail. In the caddy log I can see errors like this:
Caddy caddy[29251]: {"level":"warn","ts":1752857349.8624544,"logger":"http","msg":"looking up info for HTTP challenge","host":"cloud.mydomain.com","remote_addr":"66.133.109.36:54055","user_agent":"Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)","error":"no information found to solve challenge for identifier: cloud.mydomain.com"}
For testing purposes, I changed the Traefik settings to alpn challenge. But Caddy is also interfering with this method when auto_https ist not off:
Jul 18 21:16:49 Caddy caddy[13829]: {"level":"error","ts":1752837409.6746051,"logger":"tls","msg":"tls-alpn challenge","remote_addr":"66.133.109.36:41831","server_name":"cloud.mydomain.com","error":"no information found to solve challenge for identifier: cloud.mydomain.com"}
3. Caddy version:
Caddy v2.10.1-0.20250623192645-3b4d966fba06
caddy-l4@4d3c80e89c5f80438a3e048a410d5543ff5fb9f4
4. How I installed and ran Caddy:
a. System environment:
Fedora 42, Caddy runs as systemd service.
Caddy build with xcaddy:
xcaddy build 3b4d966fba069e9895980dbbf05f84bf818968ba
--with github.com/mholt/caddy-dynamicdns
--with github.com/caddy-dns/netcup
--with=github.com/mholt/caddy-l4@4d3c80e89c5f80438a3e048a410d5543ff5fb9f4
d. My Caddy config:
{
email xyz@example.com
dynamic_dns {
# ip_source upnp
ip_source simple_http https://icanhazip.com
ip_source simple_http https://api64.ipify.org
ip_source simple_http https://ident.me
ip_source simple_http https://ifconifg.me
check_interval 5m
versions ipv4
ttl 10m
provider netcup {
customer_number 1234567890
api_key xyz
api_password xyz
}
domains {
mydomain.com cloud
mydomain.com *.cloud
mydomain.com service1
mydomain.com service2
}
layer4 {
# Layer 4 listener for encrypted traffic on port 443
:443 {
@opencloud tls sni open.cloud.mydomain.com wopiserver.cloud.mydomain.com collabora.cloud.mydomain.com traefik.cloud.mydomain.com
route @opencloud {
proxy 192.168.100.18:443
}
}
# Layer 4 listener for unencrypted traffic on port 80
:80 {
@opencloud http host open.cloud.mydomain.com wopiserver.cloud.mydomain.com collabora.cloud.mydomain.com traefik.cloud.mydomain.com
route @opencloud {
proxy 192.168.100.18:80
}
}
}
}
# Service 1
service1.mydomain.com {
encode zstd gzip
reverse_proxy 192.168.100.20:9000
}
#Service 2
service2.mydomain.com {
reverse_proxy 192.168.100.20:7180
}
#...
Sorry for altering my domain names. I am sure that it is not due to the specific domains.
5. Links to relevant resources:
Automatic_https skip: JSON Config Structure - Caddy Documentation
This is maybe the function I need. But I was not successfull by fiddeling with my JSON config. I would prefer to keep everything in my Caddyfile.
I wonder if I have overlooked something or if I have a fundamental error in my thinking.
Many thanks in advance, any help is appreciated!