Use https with local ip on LAN, with Caddy->WG->Caddy

theailer · February 19, 2026, 8:45pm

1. The problem I’m having:

Hi
I have a frontend caddy on a vps, a wireguard tunnel to my homeserver that serves a backend caddy.
Https is working when accessing my domain both from the internet and inside my lan, but I want to use the lan address when inside the lan with https(I’m on a LTE subscription with a data cap).
I’ve also setup the dns in my lan so that I can use the external domain name locally.
So I guess there is a way for the backend caddy to differentiate between the requests from the wireguard tunnel vs the LAN. Thing is I don’t know how

I’ve setup unify to only be reached via lan so that’s sorted, but it’s the ha and immich that I need help with.

2. Error messages and/or full log output:

3. Caddy version:

v2.10.2 with cloudflare module

4. How I installed and ran Caddy:

Frontend, via apt-get on debian and then copied the caddy binary with cloudflare module as in the wiki
Backend, docker cointainer

d. My complete Caddy config:

Backend
{
	servers {
		trusted_proxies static private_ranges
	}
	skip_install_trust
}


http://immich.sturupcloud.se {
	reverse_proxy http://192.168.0.185:2283
}
http://ha.sturupcloud.se {
	reverse_proxy http://192.168.0.175:8123
}
https://unify.sturupcloud.se {
	tls {
	    dns cloudflare 
	}
	reverse_proxy https://192.168.0.185:11443 {
		transport http {
			tls_insecure_skip_verify
		}
	}
}

Frontend
*.sturupcloud.se {
	tls {
		dns cloudflare 
	}

	@immich host immich.sturupcloud.se
	handle @immich {
		reverse_proxy http://11.0.0.30:80
	}
	@ha host ha.sturupcloud.se
	handle @ha {
		reverse_proxy http://11.0.0.30:80
	}
	@bitwarden host bitwarden.sturupcloud.se
	handle @bitwarden {
		reverse_proxy http://11.0.0.30:80
	}
}

5. Links to relevant resources:

francislavoie · February 21, 2026, 4:17pm

I’m not sure I follow why you need to differentiate them? What are you trying to do with that?

Enable access logs (log directive), compare what the requests look like when they come via wireguard vs LAN, see if the remote address is different, if so you can use remote_ip matcher to change it.

theailer · February 21, 2026, 8:48pm

Hi

Maybe I am over complicating things.

My frontend caddy is running on my VPS, and is handling the certificates for my domain.

So when I’m at home I want to connect locally to my homeserver with my domain name and not via the VPS.

francislavoie · February 21, 2026, 9:00pm

Then you just need to override your DNS in your LAN (run a DNS server, or something like pihole or adguard which are also DNS servers) so that your domain resolves to your LAN IP instead of your VPS IP while inside your LAN.

theailer · February 21, 2026, 9:40pm

Yeah that what was I was trying to do,DNS was already setup but nothing seemed to work when trying to access port 443 on the LAN side.

But until now I had gotten it turned around completely in my head.

Solved it literally a minute ago, since the VPS is accessing my homeserver via port 80 I could just add https on the lan side:

{
        servers {
                trusted_proxies static private_ranges
        }
        skip_install_trust
}
#----------------------------------------------------------------------
#WAN
http://immich.sturupcloud.se {
        reverse_proxy http://192.168.0.185:2283 {
        }
}
http://ha.sturupcloud.se {
        reverse_proxy http://192.168.0.175:8123
}
unify.sturupcloud.se {
        tls {
                dns cloudflare 
        }
        reverse_proxy https://192.168.0.185:11443 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
#----------------------------------------------------------------------
#LAN
https://ha.sturupcloud.se {
        tls {
                dns cloudflare 
        }
        reverse_proxy http://192.168.0.175:8123
}
https://immich.sturupcloud.se {
        tls {
                dns cloudflare 
        }
        reverse_proxy http://192.168.0.185:2283 {
        }
}