Reverse Proxy
dockmesh ships an embedded Caddy instance that can front your stacks with automatic HTTPS via Let’s Encrypt. Enable it once, point a DNS record at your dockmesh host, and your stacks get valid certificates with zero config.
Enabling
Section titled “Enabling”Settings → System → Reverse Proxy
Toggle on. dockmesh starts a Caddy container bound to ports 80 and 443, owned by dockmesh (not one of your stacks).
On first start, Caddy provisions TLS certificates via ACME HTTP-01 challenge. Port 80 must reach the server from the public internet for this to work.
Routing a stack
Section titled “Routing a stack”On any stack’s detail page:
Proxy → Add route
| Field | Example |
|---|---|
| Domain | analytics.example.com |
| Target container | analytics_web_1 |
| Target port | 80 |
| Path (optional) | / |
| TLS | Automatic (default), Custom cert, or None |
Caddy provisions a cert for analytics.example.com, adds a route, and reloads. Takes ~30 seconds for the first request to succeed.
Wildcard certificates
Section titled “Wildcard certificates”For *.example.com, ACME requires DNS-01 challenge (HTTP-01 doesn’t work for wildcards). Configure a DNS provider in Settings → Reverse Proxy → DNS Provider:
Supported (via Caddy modules):
- Cloudflare
- AWS Route 53
- Google Cloud DNS
- DigitalOcean
- Hetzner Cloud
- Porkbun
- Namecheap
- Gandi
Provide an API token for your DNS provider. Caddy will handle the DNS-01 challenge automatically.
Custom Caddyfile
Section titled “Custom Caddyfile”The UI covers 90% of use cases. For the other 10% (custom matchers, middleware, complex rewrites), edit the raw Caddyfile:
Settings → Reverse Proxy → Advanced → Caddyfile
Changes are validated with caddy validate before saving. Syntax errors are rejected with line numbers.
Example custom block:
api.example.com { rate_limit { zone api { key {remote_host} events 100 window 1m } } reverse_proxy analytics_api_1:8080 { header_up X-Real-IP {remote_host} }}Bring your own certificate
Section titled “Bring your own certificate”For internal CA certificates or pre-existing cert files:
Settings → Reverse Proxy → Certificates → Upload
- PEM-encoded cert + private key
- Scope: specific domain or wildcard
- Auto-renewal disabled for bring-your-own certs (you handle renewal)
Security headers
Section titled “Security headers”Caddy applies sensible defaults:
Strict-Transport-Security(365 days, includeSubDomains, preload)X-Content-Type-Options: nosniffX-Frame-Options: DENY(can be overridden per route)Referrer-Policy: strict-origin-when-cross-origin
Override per route if needed.
Monitoring
Section titled “Monitoring”Settings → Reverse Proxy → Logs streams Caddy’s access log with:
- Request timestamps
- Source IP
- Method + path
- Response status
- Response time
- Matched route
Filter by domain, status code, or regex.
Not using Caddy?
Section titled “Not using Caddy?”If you already run Traefik, nginx, or a cloud load balancer, disable the embedded Caddy and route directly to your stacks’ published ports.
See Integrations · Traefik for a sidecar setup.
See also
Section titled “See also”- Integrations · Let’s Encrypt — ACME provider details
- Integrations · Cloudflare Tunnel — alternative with no open ports
- Hardening — TLS and header best practices