mTLS client_auth WAN matcher

brian6932 · August 9, 2025, 2:08am

1. The problem I’m having:

I want to make a matcher for mTLS client_auth on WAN IPs only. Somewhat related to Using Caddy on LAN, while still having Cloudflare acme_dns for WAN. I’d like to use Cloudflare’s AOP feature, while still having accessibility on LAN, without adding/making any additional self-signed certs. Basically, I want to do something like:

@wan not remote_ip private_ranges
tls @wan {
	client_auth {
		mode require_and_verify
		trust_pool file {
			pem_file /path/to/file.pem
		}
	}
}

2. Error messages and/or full log output:

SSL_write() error: error:14FFF3E7:SSL routines:(UNKNOWN)SSL_internal:unknown failure occurred

3. Caddy version:

v2.10.0

4. How I installed and ran Caddy:

Built with xcaddy.

a. System environment:

Linux.

b. Command:

caddy run --config /etc/caddy/Caddyfile

Mohammed90 · August 9, 2025, 8:18pm

You can do it in the JSON format of the config, but it’s not something that’s exposed in the Caddyfile. See match and client_authentication parts in the structure.

Start by running caddy adapt -p against a Caddyfile like this:

example.com {
	tls {
		client_auth {
			mode require_and_verify
			trust_pool file {
				pem_file /path/to/file.pem
			}
		}
	}
}

then edit the output JSON.

brian6932 · August 10, 2025, 4:42pm

It works!

Is this intentionally not exposed in Caddyfile, or just something lacking feature parity? The Caddyfile matchers feel a bit underpowered/underutilized at the moment, but I do like the function syntax, converting the Caddyfile function imports into the JSON format results in a lot of duplication.