I run the official (Alpine) Docker image of Caddy as a reverse proxy to serve web servers or other services on a VPS in the cloud.
My objective is to setup Unbound behind Caddy to resolve downstream encrypted DNS queries coming from my LAN or my mobile phone.
The drawing below illustrates the architecture:
I am not too sure about the TLS part but it would be very convenient if Caddy could manage the certificate and the key.
Unbound needs to be supplied with the private key for the TLS session (tls-service-key) and the public certificate (tls-service-pem).
Feed Unbound with Caddy’s .key and .crt files (of the related domain) located in the Data directory. The only constraint would be to restart Unbound every time the certificates change but a cron job should probably do the job
Leverage local HTTPS (Caddy’s own certificate authority) and feed the certificate to Unbound same as solution 1
Any help would be greatly appreciated so that I understand what I should do regarding this TLS topic.