Importing of caddyfile configuration

[ale17z]

Hi everyone!

I'm setting up Caddy Proxy Manager using Docker, but I'm having trouble remapping my old Caddy base configuration via the GUI to CPM.
I was able to successfully map the configuration of an exposed service.
I'd also like to use Caddy to manage browser certificates for unexposed services (by defining the DNS for internal IPs locally).
The Caddy file configuration is shown below:

(https_header) {
  header {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
  }
}

https://XXXXXXX.duckdns.org:4010 { 
  import https_header
  reverse_proxy http://192.168.100.101:4010
  @ws: {
    header Connection "Upgrade"
    header Upgrade websocket
  }
  }
https://XXXXXXX.duckdns.org:4020 { 
  import https_header
  reverse_proxy http://192.168.100.102:4020
  @ws: {
    header Connection "Upgrade"
    header Upgrade websocket
  }
}

However, I haven’t been able to map it to CPM.
I’ve tried several solutions:

Solution A – defining a proxy-host:

• Added 2 Upstreams + URI HASH or Header Hash load balancer
• Using “Location Rules” to redirect traffic

In this case, I have the problem that I don’t want to change the URL path of orignal services, otherwise for every new service I’d have to go and modify the various service configurations.
The desired behavior would be:

https://XXXXX.duckdns.org/serviceA/     >>>   http://192.168.100.101:4010/
https://XXXXX.duckdns.org/serviceB/     >>>   http://192.168.100.102:4020/

I also tried the Custom Reverse Proxy (JSON) without any success :-(

Solution B - defining 2 L4 proxy hosts:

• I exposed the ports to be mapped in the L4 container
• created L4 Proxy Host
• enabled TLS termination

but I haven’t been able to get the service to work in any way.

Thanks for the amazing work!

It's a really great project, and as soon as I saw it, I fell in love with it!

[fuomag9]

Hi @ale17z, thanks for the kind words!

Looking at your Caddyfile, you're binding the same domain to different custom ports (:4010, :4020) and reverse-proxying each to a different backend. This is a somewhat unusual Caddy setup — typically you'd serve everything on the standard HTTPS port (443) and differentiate services by subdomain or path.

CPM doesn't support custom listen ports for individual reverse proxy hosts — all HTTP proxy hosts are served on port 443 (HTTPS) by default, which is the standard and recommended approach.

Recommended approach — use subdomains instead of custom ports:

Instead of XXXXX.duckdns.org:4010 and XXXXX.duckdns.org:4020, create separate subdomains (or use path-based routing on a single domain):

• Option 1 (subdomains): Create two proxy hosts — serviceA.XXXXX.duckdns.org → http://192.168.100.101:4010 and serviceB.XXXXX.duckdns.org → http://192.168.100.102:4020. Each gets its own TLS certificate automatically.

• Option 2 (path-based on one domain): Create one proxy host for XXXXX.duckdns.org and use Location Rules to route /serviceA/* → http://192.168.100.101:4010 and /serviceB/* → http://192.168.100.102:4020. Note: this requires your backend services to handle the path prefix, or you can use the "strip prefix" option.

If you need to restrict access to these internal services, you can use Access Lists (ACLs) to limit access by IP range (e.g., only allow your local network 192.168.100.0/24).

Regarding the security headers (Strict-Transport-Security, X-XSS-Protection, etc.) and WebSocket upgrade handling in your Caddyfile — Caddy already sets those by default, so you don't need to configure them manually in CPM. They're already taken care of.

The L4 proxy approach is meant for raw TCP/UDP forwarding (e.g., databases, game servers) and isn't the right tool for HTTP reverse proxying.

Hope this helps!

[ale17z]

Thanks for your reply.
I can't go with Option 1 because DuckDNS doesn't support fourth-level domains.
Option 2 is definitely a good choice, but I can't find the “strip prefix” option. Where do I configure it?

The ACL can be configured in the WAF section, right?

[fuomag9]

Good point about DuckDNS not supporting fourth-level subdomains.

Regarding "strip prefix" — I should correct myself, CPM doesn't have that option. What it has is a Path Prefix Rewrite (under proxy host settings) which prepends a prefix to requests, which is the opposite of what you need. Since there's no built-in strip prefix, you have two choices:

1. Switch to a DNS provider that supports subdomains (e.g., Cloudflare free tier, or any provider that allows wildcard/fourth-level records). This is the cleanest approach — each service gets its own proxy host with its own domain, TLS cert, and independent configuration.
2. Use path-based routing with Location Rules, but your backend services would need to handle the path prefix natively (e.g., configure them to serve under /serviceA/ and /serviceB/).

I'd recommend option 1. Serving multiple services under path prefixes on the same domain is generally not recommended from a security perspective — it means all services share the same origin, which weakens isolation (cookies, CORS, CSP policies all become shared).

Regarding access control — if you want to restrict who can reach these services, you can use the Geo Blocking feature on each proxy host to allow/deny access by country or IP address/range.

[ale17z]

Hi, Thanks for you replay.

I took a few days to run some tests and came up with this solution.
I was able to use Caddy in the recommended mode for 4th-level DuckDNS domains like the following: service.XXXXX.duckdns.org
(even though DuckDNS doesn’t support direct configuration of these DNS records) using the Get wildcard certificates with DNS-01 option and a local DNS.

To implement the solution, I had to define DNS records locally on my network and point the records to Caddy’s internal IP.
I then created the proxy-host by defining the following information in the domain:

*.XXXXX.duckdns.org
service.XXXXX.duckdns.org

without any other special configurations.

In this way, I can define Layer 4 services locally usign DuckDNS 3th-level DNS.
Caddy requires wildcard certificates with DNS-01 , and the service is proxied correctly on the system where it runs.

I need to report two bugs (notice during testing):

1. The current version of CPM doesn’t save changes to "Advanced Options". If I click “Save Changes,” the changes aren’t saved or applied. If I reopen the configuration in edit mode, the changes aren't saved properly.

2. If you temporarily disable a proxy-host using the dedicated button, the custom configurations in the various sections aren’t retained when re-enabling it.

Finally, here’s a suggestion that might be useful to others as well.
In the analytics section, in addition to the “Recent Blocked Requests”, it would be helpful (via a toggle button) to view processed requests as well, so that this information can be accessed directly from the web page rather than from the caddy server logs.

Thank you for the great work!!!

[fuomag9]

I need to report two bugs (notice during testing):

The current version of CPM doesn’t save changes to "Advanced Options". If I click “Save Changes,” the changes aren’t saved or applied. If I reopen the configuration in edit mode, the changes aren't saved properly.

If you temporarily disable a proxy-host using the dedicated button, the custom configurations in the various sections aren’t retained when re-enabling it.

Thank you for the information, please specify which sha256 commit you're running since there have been bug fixes regarding this, you may want to try updating first (also please avoid raising new issues in a resolved one, raising new ones should be the way)

Regarding processed requests I'll think if there can be a good implementation UX wise to show them

[ale17z]

ghcr.io/fuomag9/caddy-proxy-manager-web latest sha256:a87170b2e7a4b318ce11ed1ff873c222113988b9fd5c081dcc28ba799002f732
ghcr.io/fuomag9/caddy-proxy-manager-caddy latest sha256:e7243f92d22772ca73d1316e733bc1abae9b3d7ab75922c3f1dc0603a2e74c07