I just want to show some examples of how I configured my caddyfile as a reverse proxy. Maybe it is helpful for someone.
Basics
Activate HTTP/3 (put this on the top of your Caddyfile)
Source
{
servers * {
protocol {
experimental_http3
}
}
}
Simple Reverse Proxy
Source
sub.domain.com {
reverse_proxy 10.0.0.254:8080
}
Reverse Proxy with HTTPS backend and no trusted certificate
Source
sub.domain.com {
reverse_proxy 10.0.0.254:443 {
transport http {
tls_insecure_skip_verify
}
}
}
Reverse Proxy with IP-Whitelist (allowed Networks: 10.0.0.0/24 and 10.1.1.0/24)
Source
sub.domain.com {
@internal {
remote_ip 10.0.0.0/24 10.1.1.0/24
}
handle @internal {
reverse_proxy 10.0.0.254:8080
}
respond 403
}
Streaming (Plex, Jellyfin, ...)
Source
...
reverse_proxy 10.0.0.254:32400 {
flush_interval -1
}
...
Cloudflare
This is only needed if you have the Cloudflare-Proxy activated (orange cloud)
Requirements
Caddy-Binary with dns.providers.cloudflare-Plugin (Caddy-Builder): LINK
Create an API-Token on Cloudflare: LINK
Cloudflare API
Source
sub.domain.com {
tls {
issuer acme {
dns cloudflare <api-token> or {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
}
}
Cloudflare API + reverse proxy
sub.domain.com {
tls {
issuer acme {
dns cloudflare <api-token> or {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
}
reverse_proxy 10.0.0.254:80
}
Cloudflare API + reverse proxy + streaming
sub.domain.com {
tls {
issuer acme {
dns cloudflare <api-token> or {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
}
reverse_proxy 10.0.0.254:32400 {
flush_interval -1
}
}
Header Security
Create in the Caddyfile-Directory (/etc/caddy/) a file called "caddy_security.conf" with the following content:
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Xss-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
Content-Security-Policy "frame-ancestors *.opum.ch"
Referrer-Policy "strict-origin-when-cross-origin"
Cache-Control "public, max-age=15, must-revalidate"
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(self), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(*), speaker=(), sync-xhr=(), usb=(), vr=()"
}
Now import this config into the Caddyfile:
sub.domain.com {
import /etc/caddy/caddy_security.conf
reverse_proxy 10.0.0.254:8080
}
With this settings you'll get an A+ on https://securityheaders.com/