So [head scratching], what do I replace ‘# Watch this space!’ with?
From @Rob789’s inspirational wiki article Use Caddy for local HTTPS (TLS) between front-end reverse proxy and LAN hosts , a quote from the section Local (Split) DNS…
I created domain names for the hosts because pointing directly to the IP addresses didn’t work with the ACME server. I was not able to get certificates for the backends.
So, to set the scene, my local DNS resolver (DNSMasq if anyone is interested) resolves:
- caddy.lan → 10.1.1.4
- test.lan → 10.1.1.50
…and this extract from the section Local HTTPS…
Secondly, you need define or update the FQDN where Caddy listens to and reverse proxies accordingly with TLS.
nextcloud.my.domain.com {
reverse_proxy https://office.roadrunner {
header_up Host {http.reverse_proxy.upstream.hostport}
header_up X-Forwarded-Host {host}
}
}
If I wasn’t using the map directive, the equivalent Caddy block for me would be:
test.udance.com.au {
reverse_proxy https://test.lan {
header_up Host {http.reverse_proxy.upstream.hostport}
header_up X-Forwarded-Host {host}
}
}
Using the map directive, here’s my first attempt on paper:
# Secure backend communication
route {
@mtls expression `{mtls} == "yes"`
handle @mtls {
reverse_proxy {backend} {
header_up Host {http.reverse_proxy.upstream.hostport}
header_up X-Forwarded-Host {host}
}
}
}
I’m not sure that the translation is correct? For a start, {backend} refers to an IP address and port number rather than a local domain name as suggested in the wiki article. Thoughts?