Ocserv, Shaddowsocks and a website behind Caddy

In a nutshell, I’m trying to use SNI on a single public IP address to provide access to a VPN, a Shadowsocks proxy and a website all on port 443. I’ve been working on this for over three weeks but I haven’t been successful. I was tying to do this with Nginx Proxy Manager but no one has responded to any of my queries so I’m hoping that I can get this working with Caddy.

I want to mix streams and HTTP (layer 4 and 7) together all on ingress port 443. I’ve been told that Caddy can do this with SNI. Is this true or do I need to look at something else like HAProxy?

I have a VPS that has a single public IP address (45.45.45.45) and the following domains:

I will use DNS challange for Let’s Encrypt certs for both domains.

The server has the following backend services:

  • OpenConnect VPN (Ocserv)
  • Shadowsocks with v2ray which uses location /shadow
  • Apache web server on port 4443

I think traffic needs to default to OpenConnect in case SNI is missing in the traffic.

I also have custom error pages for 404 and 403.

Is all this possible with Caddy? If so, can someone please provide an example config using the info that I’ve provided?

Thank you!

SNI is an extension of TLS. Are all the protocols you want to use wrapped by TLS? And do all the clients support TLS+SNI? If so, then yes GitHub - mholt/caddy-l4: Layer 4 (TCP/UDP) app for Caddy can help you do this.

If any of the protocols are not TLS-wrapped, then SNI isn’t a thing. But those protocols may have their own mechanism of caddying a name, so that could be used. As long as there exists matchers/handlers in caddy-l4 to support that usecase.