🛡️ Reverse proxy

Important

Usually the ca service will deployed behind a reverse proxy, which requires special attention.

To make the CA working behind a reverse proxy, follow these rules:

  1. Remove all direct port mappings (i.e. 8443)

  2. Point your reverse proxy to port 8443 instead (the only exposed port)

  3. Pass through TLS connections to the CA, don’t intercept them on the reverse proxy

  4. Disable strict SNI checking

  5. Put the CA into the same network as the proxy

Below there are some examples for reverse proxies.

Traefik

CA deployment

To deploy the CA service behind Traefik proxy, the following labels must be added to the container:

services:
  ca:

    # … existing config (see Deployment chapter)

    # Passthrough connections from Traefik directly to CA.
    labels:
      - traefik.enable=true
      - traefik.tcp.routers.ca.rule=HostSNI(`ca.example.net`)
      - traefik.tcp.routers.ca.tls.passthrough=true

    # Add CA to proxy network.
    networks:
      - proxy

# Make proxy network available for Compose service.
networks:
  proxy:
    external: true

Hint

If you’ve strict SNI checking enabled, create a new dynamic config such as this:

tls:
  options:
    sniStrictDisable:
      sniStrict: false

Then use the option as another label:

labels:
    # … existing labels
    - traefik.tcp.routers.ca.tls.options=sniStrictDisable@file

mTLS

To use the CA for mTLS in Traefik proxy, use the following TLS configuration:

tls:
  options:

    mTLS:
      clientAuth:
        caFiles:
          - /path/to/ca.pem
        clientAuthType: RequireAndVerifyClientCert

Hint

If you’ve default options, and you want to extend them to the mTLS options, you can use YAML anchors like this:

tls:
  options:

    default: &defaultOptions
      # your default options here

    mTLS:
      <<: *defaultOptions
      clientAuth:
        caFiles:
          - /path/to/ca.pem
        clientAuthType: RequireAndVerifyClientCert

Caddy

CA deployment

Caddy doesn’t support TLS passthrough out of the box, so you’ll need a custom build that includes the caddy-l4 (Layer 4) plugin.

mTLS

To use the CA for mTLS in Caddy, configure the client_auth directive in your Caddyfile:

example.com {
    tls {
        client_auth {
            mode require_and_verify
            trusted_ca_cert_file /path/to/ca.pem
        }
    }

    reverse_proxy backend:8080
}

Hint

If multiple sites should require mTLS, define a snippet and import it:

(mtls) {
    tls {
        client_auth {
            mode require_and_verify
            trusted_ca_cert_file /path/to/ca.pem
        }
    }
}

example.com {
    import mtls
    reverse_proxy backend:8080
}