Skip to main content

Overview

By default, Caddy runs over HTTP on your chosen local port. If your deployment requires HTTPS — for example, to encrypt traffic between internal services or to meet security requirements — you can configure Caddy to serve over HTTPS using one of three approaches:
  • Automatic certificates via a public domain name (using Let’s Encrypt)
  • Self-signed certificates for local or internal use
  • Custom certificate files provided directly

Automatic HTTPS with a Domain

If you have a public domain name with a DNS record pointing to your server, Caddy can automatically obtain and renew TLS certificates from Let’s Encrypt: 
proxy.example.com {
    reverse_proxy https://api.scanoss.com {
        header_up x-api-key "YOUR_API_KEY_HERE"
        header_up Host api.scanoss.com
    }
}
Replace proxy.example.com with your actual domain. Caddy will automatically:
  • Obtain a TLS certificate from Let’s Encrypt
  • Serve HTTPS on port 443
  • Redirect HTTP requests to HTTPS
Prerequisite: Your domain must have a valid DNS A record pointing to the server, and port 80 must be publicly accessible so that Let’s Encrypt can complete its HTTP challenge.

Self-Signed Certificate for Internal Use

For internal or local deployments that do not use a public domain, you can instruct Caddy to generate a self-signed certificate using its built-in local certificate authority (CA). This is done by specifying tls internal in your Caddyfile. Localhost: 
localhost:1980 {
    tls internal

    reverse_proxy https://api.scanoss.com {
        header_up x-api-key "YOUR_API_KEY_HERE"
        header_up Host api.scanoss.com
    }
}
Specific internal IP address: 
https://192.168.1.100:1980 {
    tls internal

    reverse_proxy https://api.scanoss.com {
        header_up x-api-key "YOUR_API_KEY_HERE"
        header_up Host api.scanoss.com
    }
}
Note: Self-signed certificates will trigger security warnings in browsers and HTTP clients. To suppress these warnings, you must either add Caddy’s local CA certificate to your system’s trusted certificate store, or configure your tools to accept self-signed certificates explicitly.

Custom Certificate Files

If you have your own certificate and private key files, you can specify their paths directly in the Caddyfile: 
:1980 {
    tls /path/to/cert.pem /path/to/key.pem

    reverse_proxy https://api.scanoss.com {
        header_up x-api-key "YOUR_API_KEY_HERE"
        header_up Host api.scanoss.com
    }
}
Replace /path/to/cert.pem and /path/to/key.pem with the absolute paths to your certificate and private key files. If your certificate authority provides intermediate certificates, use a full-chain certificate file (e.g. fullchain.pem) rather than the end-entity certificate alone.

Updating Client Configuration for HTTPS

When HTTPS is enabled on your Caddy instance, update the proxy base URL in all client configurations — such as environment variables, configuration files, or SDK settings — to use https:// instead of http://. For example, depending on your deployment, your proxy address will take one of the following forms: 
https://localhost:1980
https://192.168.1.100:1980
https://proxy.example.com
Refer to the configuration documentation for your specific client tool for details on where to set the proxy address.