I don’t know if you’ve looked into it yet, but On-Demand TLS may be useful to you when designing your solution with Caddy. I’ve never had a real need or opportunity, but I’ve always been interested in deploying something like this: