Using caddy proxy to access another caddy proxy

blucobalt · December 6, 2025, 9:09pm

1. The problem I’m having:

I want to run 2 instances of caddy; one that is locally available for my clients on lan, and one that is publicly available for my clients on the internet. I want to access everything under the same dns name. In an ideal world, I would like to do something like this:

Caddyfile: prod
some.service.tld {
  reverse_proxy tunneled_connection_to_lab_instance
}

Caddyfile: lab
some.service.tld {
  reverse_proxy the_real_backend_service:some-port
}

where the wan instance proxies everything to the lan instance, instead of the wan instance directly accessing all the backend services. What’s the best way to achieve this? Is this simple config possible?

2. Error messages and/or full log output:

N/A

3. Caddy version:

Both hosts are running v2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=, pulled from ghcr.io/caddybuilds/caddy-cloudflare:latest

4. How I installed and ran Caddy:

Services in docker compose projects

a. System environment:

Both hosts are amd64. Both caddy instances are running on docker.

c. Service/unit/compose file:

host lab:
services:
  caddy:
    container_name: caddy
    image: ghcr.io/caddybuilds/caddy-cloudflare:latest
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "./Caddyfile:/etc/caddy/Caddyfile:ro"
      - "./caddy_data:/data"
      - "./caddy_config:/config"
    environment:
      - CLOUDFLARE_API_TOKEN=(redacted)

host prod:
services:
  caddy:
    container_name: caddy
    image: ghcr.io/caddybuilds/caddy-cloudflare:latest
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "./Caddyfile:/etc/caddy/Caddyfile:ro"
      - "./caddy_data:/data"
      - "./caddy_config:/config"
    environment:
      - CLOUDFLARE_API_TOKEN=(redacted)

d. My complete Caddy config:

N/A

francislavoie · December 7, 2025, 12:20am

See Common Caddyfile Patterns — Caddy Documentation

repro · January 4, 2026, 6:35pm

Thanks for making this post because I was searching for the answers and beyond. I did find this post too: Running a Caddy server behind another [SOLVED]

I would like to know on which instance (front or back) I should put all the directives in? Does it matter at all?

front instance facing public internet

subdomain.domain.tld {

    reverse_proxy http://192.168.1.50

    basic_auth {

        <username> <hash>

    }

}

back instance 192.168.1.50 facing private subnet

http://subdomain.domain.tld {

    reverse_proxy <docker-container>:<port>

}

francislavoie · January 8, 2026, 12:17pm

It depends on what you’re trying to do. That’s totally up to you where you put your auth layer. If you put it in the front one then you avoid unauthenticated requests hitting your back one but depending on your level of traffic that might not really matter

repro · January 11, 2026, 4:06pm

Thanks for the additional information. I couldn’t assess whether configuring basic_auth on the frontend or backend posed a security risk. I only need Caddy privately for standard self-hosted services such as Immich, Nextcloud, Vaultwarden, etc.

Until now, I had a public /28 subnet with 5 usable IPs, but I have to reduce this to one IP, so I now need the option “Caddy proxying to another Caddy”.

system · February 10, 2026, 4:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.