Proxy to another Caddy ServerProxy

1. My Caddy version (caddy -version):

v1.0.3

2. How I run Caddy:

For now, I run a simple Caddyfile reverse proxying to the local ip address of the service I reach.

a. System environment:

OS, relevant versions, systemd? docker? etc.
Debian 9 and 10 64 bit, systemd service to start caddy

b. Command:

NA

3. The problem I’m having:

Not necessarily a problem, more of a “how to.” My current environment basically exposes my public IP. What I’d like to do is host a cheap cloud vm to simply be my public facing proxy. So if I go to www.mysite.com, traffic would first go to my public vm, proxy to my personal public ip and then proxy again to the private ip address. Is this possible? I’d like to avoid connecting the machines via VPN for traffic quota reasons.

Traffic flow with no VPN:

Client -> Internet -> VPS -> Internet -> Home -> Server

With a VPN:

Client -> Internet -> VPS -> Internet (via VPN) -> Home -> Server

Downside to VPN: None, especially re: total traffic (for quotas etc). It’s really the same either way.

Upside to VPN: You don’t have to open a port at all on your home public IP, if you’re worried about that.

Since you’re using your VPS as effectively an inbound gateway for the proxied traffic, one ideal solution is to have your origin server act as a VPN client and connect to your VPS, and then have your VPS proxy incoming traffic to the VPN client. A reverse proxy through a reverse tunnel. Your origin server can then be anywhere in the world with internet, you don’t even need a static IP.

The alternative is to have a publicly accessible web server on both your origin (home public IP) and the VPS. Yes, your DNS won’t show your origin server. No, it won’t increase your security significantly. Cloudflare’s free “Orange Cloud” reverse proxy is a better option for this than a VPS, if you don’t want to use a VPN to keep your own origin server truly inaccessible from the public.

The only issue with this is when my home server (acting as the client) needs to download anything (say, streaming files from Google Drive), it has to go through the VPS VPN Server. The VPS traffic quota is what I’m worried about.

Would it be possible to set up an interface on the home server that connects to the VPS VPN but is only used for inbound traffic/routing?

Yes, this is extremely common.

If it weren’t for the sheer amount of advertising by “privacy” VPN companies nowadays, I’d have wagered that split-tunnel VPNs were more common than full tunnel; they’re used for all sorts of things, especially in business, and for use cases like your own.

You can have your server at home act as a VPN client that never actually sends any outbound traffic through the VPN at all, only receives and responds.

@Whitestrake Can you point me in the right direction? Lots of the tutorials online are centered on bittorrent clients using split tunneling, which is not exactly what I want to do.

With OpenVPN, this is the default; only traffic intended for the VPN server is routed through the VPN. Usually you configure it by pushing additional routes - such as routes to a LAN in which the VPN server sits.

To have the client’s entire internet traffic go through the VPN, the client needs to use the VPN as their gateway, which is a non-default configuration for OpenVPN.

In short: 100% default OpenVPN server and client should work for you.

You’d want to consider generating a client-specific configuration to ensure that the client always gets the same IP address on the VPN subnet - that will ensure that you can use Caddy to reverse proxy to that static IP address. That said, if you’re setting this up purely for your VPS and origin, and you’ll have no other clients, you can predict that the IP address will always be the same.

1 Like