".local" https in local network with caddy (Openedx Tutor)

1. Output of caddy version:

v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

2. How I run Caddy:

docker-compse up 

a. System environment:


b. Command:

Paste command here.

c. Service/unit/compose file:

version: "3.7"
  # Web proxy for load balancing and SSL termination
    image: docker.io/caddy:2.4.6
    restart: unless-stopped
      - "80:80"
      - "443:443"
      default_site_port: ""
      - ../apps/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
      - ../../data/caddy:/data

d. My complete Caddy config:

# Global configuration

# proxy directive snippet (with logging) to be used as follows:
#     import proxy "containername:port"
(proxy) {
    log {
        output stdout
        format filter {
            wrap json
            fields {
                common_log delete
                request>headers delete
                resp_headers delete
                tls delete

    reverse_proxy {args.0} {
        header_up X-Forwarded-Port 443

lms.my_AD_ntwk.local{$default_site_port}, preview.lms.my_AD_ntwk.local{$default_site_port} {
    @favicon_matcher {
        path_regexp ^/favicon.ico$
    rewrite @favicon_matcher /theming/asset/images/favicon.ico

    # Limit profile image upload size
    request_body /api/profile_images/*/*/upload {
        max_size 1MB
    request_body {
        max_size 4MB

    import proxy "lms:8000"


studio.lms.my_AD_ntwk.local{$default_site_port} {
    @favicon_matcher {
        path_regexp ^/favicon.ico$
    rewrite @favicon_matcher /theming/asset/images/favicon.ico

    request_body {
        max_size 250MB

    import proxy "cms:8000"


mobile.lms.my_AD_ntwk.local{$default_site_port} {
    import proxy "android-app:8000"
# Notes
notes.lms.my_AD_ntwk.local{$default_site_port} {
    import proxy "notes:8000"

3. The problem I’m having:

I am trying to setup LMS platform (openedx via tutor) on our local DNS server(.local) and this works like a charm. But now I want to enable HTTPS, So that I can make the LMS portal be accessed securely across my local AD network. I need help in setting up procedure to generate certificate & configure caddy manually so that my https works.
These are the certificate certificates I have got from the network team:

that I can reach my local websites/servers (some are running on the docker host and some not) just by typing the url e.g. http://senec.local or http://heimdall.local

4. Error messages and/or full log output:

5. What I already tried:

I am little confused/stuck in the approach on signing certificate process for caddy, any help is much appreciated.

6. Links to relevant resources:


Please upgrade to v2.6.1! You’re on a pretty old version now.

You won’t need this anymore, common_log is no longer in the access logs.

You can shorten this by using the single-line named matcher syntax:

@favicon_matcher path_regexp ^/favicon.ico$

I’m a bit confused about this question. Are you saying that you have an existing CA from which you want to issue certs for Caddy to use? Or are you trying to figure out how to use Caddy’s own internal CA to issue certs?

Keep in mind that the server always needs the certificate and the private key associated with it to secure TLS connections. Both are two halves of a whole. The cert contains the public key portion which you tell the client to use to encrypt traffic it sends to your server, and the server uses the private key to decrypt that traffic sent to it.

Just as a point of warning, .local is often not ideal to use, especially if you ever have any Apple devices in the network, because they use .local for their Bonjour multicast DNS, and that can screw things up. See .local - Wikipedia

A better domain to use is typically .home.arpa. See What domain name to use for your home network | Ctrl blog

1 Like

Hello Francis,

Are you saying that you have an existing CA from which you want to issue certs for Caddy to use : Yes, exactly our network team has a local CA for our network, I need caddy to use that certificate for all TLS communication, so that we can access this site across our local network with HTTPS.

I saw couple of forums about this advice, for now I guess we have to live with this as this is our organisation policy which I cannot override. However, I will put a note to our network team about this.


If you have a leaf certificate to use (with the private key) then you can use the tls directive to tell Caddy to use it:

tls cert.pem key.pem
1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.