Secure proxy with your own certificate authority

Given the following architecture: a main Caddy proxy server using letsencrypt, which forwards the connections to a few servers each one also running a Caddy proxy with a node process behind it.

I would like to provide each of the children proxies with a certificate signed with my own private key, and then instruct the main Caddy proxy to accept certificates signed by me, i.e. install a root certificate. Is this possible? Are there better ways to address the problem?

So you want HTTPS connections between the Caddy in front (the reverse proxy) and the Caddy instances behind the reverse proxy, using your own self-signed certificates? That’s fine.

This is normally what you would do, yes. Have your system accept certificates signed by your private key.


Your main task with this method becomes distribution of your CA certificates, which might not be difficult at all if your Caddies are all running in the same space?

Being a Docker enthusiast I would usually simply have the front-facing Caddy instance communicate with back-end Caddies via an internet-inaccessible network, and have them talk over HTTP to reduce complexity. Then again, you could dispense with the middleman and have the front-facing Caddy talk directly with Node containers, but again I’m speaking in Docker-specific terms.

1 Like

@matt could you give a hint on what directives I should use to instruct the front facing proxy to establish encrypted connections with the backend Caddies, accepting their certificates signed by my private key?

You should have your system trust the certificate, that is the best way (by installing the public key into the system keychain). Short of that, I don’t recommend this, but you could use insecure_skip_verify in the proxy directive to have Caddy overlook certificate errors. But this essentially renders the trust of the connection worthless.


I am sorry, but it is not clear to me. I could make it work using insecure_skip_verify but of course it is an undesirable compromise.

When you say that I should have my system trust the certificate what do you mean? I tried adding the certificate in various system directories, like /usr/share/ca-certificates/ but without success.

Where does caddy look for certificate authorities it should trust?

You have to use your system to install the certificate. On Mac you use Keychain. I’m sorry but I don’t know for other platforms; you’ll have to Google it.


This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.