forwardproxy icon indicating copy to clipboard operation
forwardproxy copied to clipboard
verified publisher icon caddyserver

[Question] Caddy Forward proxy behind another Caddy reverse proxy?

Open maxiride opened this issue 1 year ago • 3 comments

Since modifying our main caddy server is a no-go, will the plugin work if placed behind another caddy reverse proxy? If so how should the forward proxy be configured?

Client --> Caddy A -- reverse proxy --> Caddy B forward proxy --> internet

Caddy A hypotetical configuration:

example.com {
    handle_path /forward/* {
        reverse_proxy caddy_B:80
    }
}

Caddy B hypotetical

:80 {
   forward_proxy
}

maxiride avatar Dec 02 '24 13:12 maxiride

The client to a forward proxy (Caddy A in your example) needs to support forward proxies. I believe the HTTP(S)_PROXY env var(s) can do this, but I haven't played with this myself.

mholt avatar Dec 02 '24 18:12 mholt

Oh actually we have a setting for this in the reverse_proxy: https://caddyserver.com/docs/modules/http.reverse_proxy.transport.http#forward_proxy_url or Caddyfile: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#forward_proxy_url

mholt avatar Dec 02 '24 18:12 mholt

Oh actually we have a setting for this in the reverse_proxy: https://caddyserver.com/docs/modules/http.reverse_proxy.transport.http#forward_proxy_url or Caddyfile: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#forward_proxy_url

That's nice, and I admit I missed it while reading the documentation. However, the forward_proxy_url option is a child of the transport rules of the reverse_proxy directive. AS-IS from the documentation it's my understanding that the option allows to reach a specific upstream through the defined forward proxy url.

My question concern being able to reach any destination through the forward proxy (as any forward proxy usually allows), with the caveat that the forward proxy url to use must point to our main Caddy instance, hence the idea of putting it behind a reverse proxy.

Ideally, in a flexible environment, I would simply spin up a new caddy instance with the forward proxy plugin and bind it to a different WAN IP (so to not disrupt the main Caddy), but that would touch the firewall area complicating more the matter (administratively speaking).

The client to a forward proxy (Caddy A in your example) needs to support forward proxies.

Of course, but luckily many applications have built-in support.

maxiride avatar Dec 03 '24 09:12 maxiride