Caddy Reverse Proxy
Identity
Host
Network
Resources
Depends On
NoneDepended On By
NoneOverview
Caddy is the HTTPS reverse proxy for all internal services on the homelab. Every *.hake.rodeo subdomain routes through Caddy, which handles TLS termination using Let's Encrypt certificates obtained via Cloudflare DNS-01 challenges.
This means no service needs to manage its own TLS — Caddy sits in front of everything and provides valid certificates automatically. Because it uses DNS challenges instead of HTTP challenges, nothing needs to be exposed to the internet.
How It Works
- DNS resolution: Pi-hole has local DNS A records mapping each
service.hake.rodeosubdomain to Caddy's IP (10.1.10.101) - TLS termination: Caddy presents a valid Let's Encrypt certificate to the client
- Reverse proxy: Caddy forwards the request to the backend service over HTTP (or HTTPS with certificate verification skipped for self-signed backends like Proxmox)
Service Details
| Field | Value |
|---|---|
| Container | LXC (unprivileged) |
| VMID | 101 |
| IP | 10.1.10.101 |
| VLAN | 10 (Production) |
| OS | Debian 13 (trixie) |
| Resources | 1 vCPU, 512 MB RAM, 6 GB disk |
| Caddy | v2.11.1 (custom build via xcaddy) |
| TLS | Let's Encrypt via Cloudflare DNS-01 |
| Domain | *.hake.rodeo |
Current Routes
| Subdomain | Backend | Description |
|---|---|---|
| pihole.hake.rodeo | Pi-hole admin UI | DNS management dashboard |
| jack.hake.rodeo | Proxmox VE web UI | Hypervisor management |
| ipmi.hake.rodeo | SuperMicro BMC | Out-of-band hardware management |
New services are added by creating a Caddyfile entry and a Pi-hole local DNS record — Caddy picks up the change on reload with zero downtime.
Architecture
Caddy uses a custom binary built with xcaddy that includes the caddy-dns/cloudflare module. This module allows Caddy to create DNS TXT records in Cloudflare to prove domain ownership for the ACME DNS-01 challenge — no inbound ports required.
The Cloudflare API token is scoped to DNS edit permissions on the hake.rodeo zone only, limiting the blast radius if the token were ever compromised.
Services with self-signed HTTPS backends (Proxmox UI, IPMI BMC) use tls_insecure_skip_verify on the transport — Caddy trusts the backend connection since it's on the local network, while still presenting a valid Let's Encrypt cert to the client.