### Caddyfile Proxy Handler Mixed Syntax Example Source: https://github.com/mholt/caddy-l4/blob/master/docs/handlers/proxy.md An example demonstrating how to mix short, mid-length, and long syntax for configuring multiple upstreams in Caddyfile. ```caddyfile # 8 - 3 upstreams mixing various syntax options proxy 192.168.0.1:8080 { upstream 192.168.0.2:8080 upstream { dial 192.168.0.3:8080 } } ``` -------------------------------- ### SOCKS5 Server Configuration Example Source: https://github.com/mholt/caddy-l4/blob/master/docs/handlers/socks5.md An example Caddyfile configuration for a Layer 4 app running a SOCKSv5 server on TCP port 1080. ```caddyfile { layer4 { :1080 { @s5 socks5 route @s5 { socks5 { # only CONNECT and ASSOCIATE commands are allowed # (`commands` option may either appear multiple times # or have multiple arguments - the meaning is the same) commands CONNECT commands ASSOCIATE # multiple usernames and passwords may be set # with one or many `credentials` options credentials account1 password1 account2 password2 credentials account3 password3 } } route { echo } } } } ``` -------------------------------- ### Caddyfile Example: TLS and IP Matching Source: https://github.com/mholt/caddy-l4/blob/master/docs/routes.md An example Caddyfile configuration demonstrating named matcher sets for TLS SNI and remote IP, and their use in route directives. ```caddyfile # `@tls` matches any connections starting with TLS handshakes. @tls tls ``` ```caddyfile # `@gd` matches any connections starting with TLS handshakes # with SNI equal to gamma.example.com or delta.example.com # from any IP within 192.168.1.0/24 and 172.28.0.0/16 ranges. @gd { remote_ip 192.168.1.0/24 172.28.0.0/16 tls sni gamma.example.com delta.example.com } ``` ```caddyfile # Any traffic matched with `@gd` is processed here. # Note that `@gd` route is placed above `@tls` route, # otherwise this route would be completely ignored. route @gd { # Everything is proxied to three.machine.local:443. proxy three.machine.local:443 } ``` ```caddyfile # Any traffic matched with `@tls` is processed here. route @tls { # `tls` handler terminates TLS (encrypts/decrypts inner traffic). tls # `subroute` handler routes traffic with another set of routes (recursion). subroute { # `@alpha` and `@beta` match HTTP traffic # to alpha.example.com or beta.example.com. @alpha http host alpha.example.com @beta http host beta.example.com # Any traffic matched with `@alpha` or `@beta` # is proxied to one.machine.local:80. route @alpha @beta { proxy one.machine.local:80 } # Other traffic including non-HTTP is proxied to two.machine.local:80. # Note that `@alpha` and `@beta` traffic is routed above, # othwerwise it would be proxied here as well. route { proxy two.machine.local:80 } } } ``` -------------------------------- ### JSON Example: Multiplexing WireGuard Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/wireguard.md This JSON configuration provides the equivalent setup to the Caddyfile example for multiplexing WireGuard connections. It defines routes for standard and custom WireGuard traffic, along with a default echo handler. ```json { "apps": { "layer4": { "servers": { "srv0": { "listen": [ "udp/:51820" ], "routes": [ { "match": [ { "wireguard": {} } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "udp/wg.machine.local:51820" ] } ] } ] }, { "match": [ { "wireguard": { "zero": 4285988864 } } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "udp/wg.machine.local:51821" ] } ] } ] }, { "handle": [ { "handler": "echo" } ] } ] } } } } } ``` -------------------------------- ### SOCKS5 Server JSON Configuration Example Source: https://github.com/mholt/caddy-l4/blob/master/docs/handlers/socks5.md The JSON equivalent of the Caddyfile configuration for a SOCKS5 server. ```json { "apps": { "layer4": { "servers": { "srv0": { "listen": [ ":1080" ], "routes": [ { "match": [ { "socks5": {} } ], "handle": [ { "commands": [ "CONNECT", "ASSOCIATE" ], "credentials": { "account1": "password1", "account2": "password2", "account3": "password3" }, "handler": "socks5" } ] }, { "handle": [ { "handler": "echo" } ] } ] } } } } } ``` -------------------------------- ### OpenVPN JSON Configuration Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/openvpn.md Example JSON configuration for Caddy to handle OpenVPN traffic. This setup routes OpenVPN connections to a local proxy. ```json { "handle": [ { "handler": "tls" }, { "handler": "proxy", "upstreams": [ { "dial": [ "localhost:8080" ] } ] } ] } ] } } } } ``` -------------------------------- ### Proxying based on Hostname Source: https://github.com/mholt/caddy-l4/blob/master/docs/examples/combining_apps.md Configure Caddy to proxy traffic based on the requested hostname. This example routes all subdomains of 'example.com' to a specific handler. ```json { "match": [ { "host": [ "*.example.com" ] } ], "handle": [ { ``` -------------------------------- ### Layer 4 App with XMPP Routing in JSON Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/xmpp.md The JSON configuration equivalent to the Caddyfile example, demonstrating how to set up Layer 4 routing with an XMPP matcher. ```json { "apps": { "layer4": { "servers": { "srv0": { "listen": [ ":80" ], "routes": [ { "match": [ { "xmpp": {} } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "localhost:5222" ] } ] } ] }, { "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "localhost:8080" ] } ] } ] } ] } } } } } ``` -------------------------------- ### Caddyfile: Layer 4 App Example with HTTP Matchers Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/http.md An example configuration for the Layer 4 app that proxies HTTP traffic based on host, path, and remote IP criteria. ```caddyfile { layer4 { :80 { # proxy HTTP traffic on TCP port 80 to localhost:8081 # if HTTP host equals `localhost` @a http host localhost route @a { proxy localhost:8081 } # proxy HTTP traffic on TCP port 80 to localhost:8082 # if HTTP host equals `example.com` # and remote IP belongs to 192.168.0.0/16 range @b http { host example.com remote_ip 192.168.0.0/16 } route @b { proxy localhost:8082 } # proxy HTTP traffic on TCP port 80 to localhost:8083 # if HTTP path doesn't equal `/index.html` @c http not path /index.html route @c { proxy localhost:8083 } } } } ``` -------------------------------- ### Caddyfile Example for Multiple Routes Source: https://github.com/mholt/caddy-l4/blob/master/docs/examples/ssh-over-tls.md This Caddyfile configuration handles multiple routes. It sets up TLS for 'b.example.com' with ALPN 'http/1.1', proxies SSH traffic for 'b.example.com' to 'b.machine.local:22', and proxies HTTP traffic for 'b.example.com' to 'b.machine.local:80'. ```json { "apps": { "tls": { "certificates": { "load_paths": ["/etc/ssl/certs/mycert.pem"], "load_keys": ["/etc/ssl/private/mykey.pem"] } } }, "apps": { "http": { "servers": { "default": { "listen": [ ":443" ], "routes": [ { "match": [ { "tls": { "sni": [ "b.example.com" ] } } ], "handle": [ { "connection_policies": [ { "alpn": [ "http/1.1" ] } ], "handler": "tls" }, { "handler": "subroute", "routes": [ { "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "b.machine.local:22" ] } ] } ], "match": [ { "ssh": {} } ] }, { "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "b.machine.local:80" ] } ] } ], "match": [ { "http": { "host": [ "b.example.com" ] } } ] } ] } ] } ] } } } } } ``` -------------------------------- ### JSON Configuration for Remote IP List Matcher Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/remote_ip_list.md JSON configuration equivalent to the Caddyfile example, demonstrating how to set up the remote_ip_list matcher within a Layer 4 app. ```json { "apps": { "layer4": { "servers": { "srv0": { "listen": [ ":12345" ], "routes": [ { "match": [ { "remote_ip_list": { "remote_ip_file": "/tmp/remote-ips" } } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "f1.machine.local:54321" ] } ] } ] } ] } } } } } ``` -------------------------------- ### Caddyfile Remote IP Matcher Example Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/remote_ip.md Example Caddyfile configuration for the Layer 4 app using the remote_ip matcher to exclude loopback addresses. ```caddyfile { layer4 { :8080 { @allowed not remote_ip 127.0.0.0/8 ::1 route @allowed { proxy another.machine.local:80 } } } } ``` -------------------------------- ### Regexp Matcher Configuration Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/regexp.md This JSON configuration shows how to use the regexp matcher to define routes. It includes examples with different patterns and optional count parameters. ```json { "apps": { "layer4": { "servers": { "srv0": { "listen": [ ":12345" ], "routes": [ { "match": [ { "regexp": { "pattern": "\\d+" } } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "r1.machine.local:10001" ] } ] } ] }, { "match": [ { "regexp": { "count": 6, "pattern": "\\xFF\\xEE\\xDD\\xCC\\xBB\\xAA" } } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "r2.machine.local:10001" ] } ] } ] }, { "match": [ { "regexp": { "count": 10, "pattern": "^(b|c|r)at(.*)\\x00\\x00$" } } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "r3.machine.local:10001" ] } ] } ] }, { "handle": [ { "handler": "echo" } ] } ] } } } } } ``` -------------------------------- ### Example: Proxy DNS requests for example.com Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/dns.md Proxies plain DNS messages received on TCP port 8053 to one.one.one.one:53 if they match the specified regular expression for example.com. ```caddyfile { layer4 { tcp/:8053 { # proxy to tcp/one.one.one.one:53 # plain DNS messages received on TCP port 8053 # requesting records of any type and any class # for example.com or any of its subdomains @a dns { allow_regexp ^(|[-0-9a-z]+\.)example\.com\.$ default_deny } route @a { proxy tcp/one.one.one.one:53 } # match and terminate TLS on TCP port 8053, then proxy to tcp/one.one.one.one:53 # inner DNS messages requesting records of NS type and any class for example.com # or records of any type and non-IN class for any domain (default action is allow), # otherwise proxy to localhost:80 any inner HTTP traffic @b tls route @b { tls subroute { @c dns { allow example.com. NS deny * * IN prefer_allow } route @c { proxy tcp/one.one.one.one:53 } @d http route @d { proxy localhost:80 } } } } # proxy to udp/one.one.one.one:53 # plain DNS messages received on UDP port 53 # requesting records of MX or NS type and any class for any domain udp/:53 { @d dns { deny_regexp * ^(MX|NS)$ } route @d { proxy udp/one.one.one.one:53 } } } } # put here other relevant config blocks to let Caddy know # where certificates should come from for TLS termination ``` -------------------------------- ### Tee Handler JSON Configuration Source: https://github.com/mholt/caddy-l4/blob/master/docs/handlers/tee.md JSON configuration equivalent to the Caddyfile example, demonstrating how to set up the tee handler for concurrent proxying in a Layer 4 application. ```json { "apps": { "layer4": { "servers": { "srv0": { "listen": [ "0.0.0.0:443" ], "routes": [ { "match": [ { "not": [ { "remote_ip": { "ranges": [ "192.168.0.0/16" ] } } ] } ], "handle": [ { "branch": [ { "handler": "proxy", "upstreams": [ { "dial": [ "primary.machine.local:443" ] } ] }, { "handler": "proxy", "upstreams": [ { "dial": [ "secondary.machine.local:443" ] } ] } ], "handler": "tee" } ] }, { "handle": [ { "handler": "echo" } ] } ] } } } } } ``` -------------------------------- ### Layer 4 App with Proxy Protocol Example Source: https://github.com/mholt/caddy-l4/blob/master/docs/handlers/proxy_protocol.md An example configuration for the Layer 4 app that proxies connections on TCP ports 8080 and 8081, utilizing the Proxy Protocol handler with specific configurations for IP ranges, fallback policy, and timeouts. ```caddyfile { layer4 { 0.0.0.0:8080 { route { proxy_protocol { allow 10.0.0.0/8 deny 10.0.1.0/24 fallback_policy REJECT timeout 5s } proxy 10.0.0.1:8080 } } 0.0.0.0:8081 { route { proxy_protocol { allow 10.0.0.0/8 192.168.0.0/16 timeout 3s } proxy 192.168.0.1:8080 } } } } ``` -------------------------------- ### JSON Remote IP Matcher Configuration Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/remote_ip.md JSON configuration equivalent to the Caddyfile example, demonstrating how to use the remote_ip matcher within the layer4 app. ```json { "apps": { "layer4": { "servers": { "srv0": { "listen": [ ":8080" ], "routes": [ { "match": [ { "not": [ { "remote_ip": { "ranges": [ "127.0.0.0/8", "::1" ] } } ] } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "another.machine.local:80" ] } ] } ] } ] } } } } } ``` -------------------------------- ### Caddyfile Vars Regexp Matcher Example Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/vars_regexp.md This example demonstrates how to use the vars_regexp matcher in Caddyfile to conditionally proxy traffic based on TLS cipher suite negotiation. It matches AES in GCM mode and proxies to a specific backend, otherwise using a fallback. ```caddyfile { layer4 { tcp/:4443 { route { tls subroute { @aes_gcm vars_regexp aes_gcm {l4.tls.cipher_suite} ^TLS_([_A-Z]?)AES_(?\d+)_GCM_SHA(?\d+)$ route @aes_gcm { proxy { upstream tcp/aes{l4.regexp.aes_gcm.key}gcm{l4.regexp.aes_gcm.hash}.backend.local:443 { tls_insecure_skip_verify } } } route { proxy { upstream tcp/fallback.backend.local:443 { tls_insecure_skip_verify } } } } } } } } *.example.com { respond "OK" 200 } ``` -------------------------------- ### Caddyfile: Basic Echo Server Source: https://github.com/mholt/caddy-l4/blob/master/docs/examples/echo_server.md Configures a basic echo server listening on TCP ports 5000 for IPv4 and IPv6 loopback interfaces. Requires no special setup. ```caddyfile { layer4 { # a simple echo server # listening on TCP port 5000 # of the loopback interface # with dual stack support 127.0.0.1:5000 [::1]:5000 { route { echo } } # a simple echo server with TLS termination # listening on TCP port 5001 # of the loopback interface # with dual stack support 127.0.0.1:5001 [::1]:5001 { route { tls echo } } } } # use the internal issuer # to obtain SSL certificates # for TLS termination on port 5001, # also serve HTTPS on port 443 localhost { tls { issuer internal } respond "OK" 200 } ``` -------------------------------- ### Subroute TLS Traffic Matching Example Source: https://github.com/mholt/caddy-l4/blob/master/docs/handlers/subroute.md Illustrates how to use the subroute handler to match and route TLS traffic based on SNI values for different subdomains. ```caddyfile { layer4 { :443 { @tls tls route @tls { subroute { @abc tls sni abc.example.com route @abc { proxy abc.machine.local:443 } @def tls sni def.example.com @ghi tls sni ghi.example.com route @def @ghi { proxy defghi.machine.local:443 } } } route { echo } } } } ``` -------------------------------- ### HTTP Server Configuration with mTLS Source: https://github.com/mholt/caddy-l4/blob/master/docs/examples/mutual_tls.md Configure an HTTP server to use Mutual TLS for specific hostnames. This example shows how to match SNI and select certificates, and also includes a fallback policy. ```json { "apps": { "http": { "servers": { "srv0": { "listen": [ ":443" ], "routes": [ { "match": [ { "host": [ "example.com" ] } ], "handle": [ { "handler": "subroute", "routes": [ { "handle": [ { "body": "OK", "handler": "static_response", "status_code": 200 } ] } ] } ], "terminal": true }, { "match": [ { "host": [ "localhost" ] } ], "handle": [ { "handler": "subroute", "routes": [ { "handle": [ { "body": "OK", "handler": "static_response", "status_code": 200 } ] } ] } ], "terminal": true } ], "tls_connection_policies": [ { "match": { "sni": [ "example.com" ] }, "certificate_selection": { "any_tag": [ "cert0" ] } }, {} ], "automatic_https": { "disable_redirects": true } }, "srv1": { "listen": [ ":80" ], "routes": [ { "handle": [ { "body": "INSECURE", "handler": "static_response", "status_code": 200 } ] } ], "automatic_https": { "disable_redirects": true } } } }, "layer4": { "servers": { "srv0": { "listen": [ "tcp/:1443" ], "routes": [ { "handle": [ { "connection_policies": [ { "alpn": [ "http/1.1" ], "client_authentication": { "ca": { "pem_files": [ "path/to/ca.crt" ], "provider": "file" }, ``` -------------------------------- ### Route Proxy Protocol Traffic on TCP Port 443 (JSON) Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/proxy_protocol.md This JSON configuration demonstrates how to achieve the same routing as the Caddyfile example, matching Proxy Protocol traffic on TCP port 443 and proxying it to a specific upstream, with a fallback. ```json { "apps": { "layer4": { "servers": { "srv0": { "listen": [ ":443" ], "routes": [ { "match": [ { "proxy_protocol": {} } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "haproxy.machine.local:443" ] } ] } ] }, { "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "fallback.machine.local:443" ] } ] } ] } ] } } } } } ``` -------------------------------- ### Winbox Matcher Configuration - JSON Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/winbox.md This JSON configuration demonstrates how to use the Winbox matcher to route traffic based on specific Winbox connection details. It includes examples for matching a specific username and modes, and for matching usernames using a regular expression. ```json { "apps": { "layer4": { "servers": { "srv0": { "listen": [ ":443" ], "routes": [ { "match": [ { "winbox": { "modes": [ "standard", "romon" ], "username": "toms" } } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "192.168.0.1:8291" ] } ] } ] }, { "match": [ { "winbox": { "modes": [ "standard" ], "username_regexp": "^andris|edgars|juris$" } } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "192.168.0.2:8291" ] } ] } ] }, { "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "192.168.0.3:443" ] } ] } ] } ] } } } } } ``` -------------------------------- ### JSON Configuration for HTTP Matchers Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/http.md This JSON configuration demonstrates how to set up HTTP matchers for routing. It includes examples of matching based on path, host, and remote IP address. Ensure this configuration is part of a valid Caddy JSON structure. ```json { "apps": { "layer4": { "servers": { "srv0": { "listen": [ ":80" ], "routes": [ { "match": [ { "http": [ { "not": [ { "path": [ "/index.html" ] } ] } ] } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "localhost:8083" ] } ] } ] }, { "match": [ { "http": [ { "host": [ "localhost" ] } ] } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "localhost:8081" ] } ] } ] }, { "match": [ { "http": [ { "host": [ "example.com" ], "remote_ip": { "ranges": [ "192.168.0.0/16" ] } } ] } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "localhost:8082" ] } ] } ] } ] } } } } } ``` -------------------------------- ### Basic HTTP Server Configuration Source: https://github.com/mholt/caddy-l4/blob/master/docs/examples/ssh-over-tls.md This configuration sets up a basic HTTP server that responds with 'OK' to any request. It's useful for testing or as a fallback. ```json { "apps":{ "http":{ "servers":{ "srv0":{ "listen":[ ":1443" ], "routes":[ { "match":[ { "host":[ "*.example.com" ] } ], "handle":[ { "handler":"subroute", "routes":[ { "handle":[ { "body":"OK", "handler":"static_response", "status_code":200 } ] } ] } ], "terminal":true } ] }, "srv1":{ "listen":[ ":80" ], "routes":[ { "handle":[ { "body":"OK", "handler":"static_response", "status_code":200 } ] } ] } } }, "layer4":{ "servers":{ "srv0":{ "listen":[ ":443" ], "routes":[ { "match":[ { "tls":{ "sni":[ "a.example.com" ] } } ], "handle":[ { "connection_policies":[ { "alpn":[ "http/1.1" ] } ], "handler":"tls" }, { "handler":"subroute", "routes":[ { "handle":[ { "handler":"proxy", "upstreams":[ { "dial":[ "a.machine.local:22" ] } ] } ], "match":[ { "ssh":{ } } ] }, { "handle":[ { "handler":"proxy", "upstreams":[ { "dial":[ "a.machine.local:80" ] } ] } ] } ] } ] } ] } } } } } ``` -------------------------------- ### Tee Handler Caddyfile Configuration Source: https://github.com/mholt/caddy-l4/blob/master/docs/handlers/tee.md Example Caddyfile configuration for the tee handler within a Layer 4 app. This setup proxies external TCP4 connections on port 443 to two different machines concurrently. ```caddyfile { layer4 { 0.0.0.0:443 { @external not remote_ip 192.168.0.0/16 route @external { tee { proxy primary.machine.local:443 proxy secondary.machine.local:443 } } route { echo } } } } ``` -------------------------------- ### TLS Handler Configuration for beta.example.com Source: https://github.com/mholt/caddy-l4/blob/master/docs/handlers/tls.md Configures TLS handling for 'beta.example.com' with ALPN 'h2'. It specifies certificate selection by serial number and uses the 'secp256r1' curve. This is followed by a proxy handler to 'beta.machine.local:80'. ```json { "match": [ { "tls": { "alpn": [ "h2" ], "sni": [ "beta.example.com" ] } } ], "handle": [ { "connection_policies": [ { "certificate_selection": { "serial_number": [ "123456789012" ] }, "curves": [ "secp256r1" ] } ], "handler": "tls" }, { "handler": "proxy", "upstreams": [ { "dial": [ "beta.machine.local:80" ] } ] } ] } ``` -------------------------------- ### Caddyfile Example: Multiplexing WinBox Traffic Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/winbox.md An example Caddyfile configuration for the layer4 app that multiplexes WinBox traffic on TCP port 443, routing based on modes and usernames. ```caddyfile { layer4 { :443 { # proxy to 192.168.0.1:8291 # any WinBox traffic if it has # `standard` or `romon` mode # and `toms` username @w1 winbox { modes standard romon username toms } route @w1 { proxy 192.168.0.1:8291 } # proxy to 192.168.0.2:8291 # any WinBox traffic if it has # `standard` mode and # `andris`, `edgars` or `juris` username @w2 winbox { modes standard username_regexp ^andris|edgars|juris$ } route @w2 { proxy 192.168.0.2:8291 } # otherwise proxy to 192.168.0.3:443 route { proxy 192.168.0.3:443 } } } } ``` -------------------------------- ### Caddyfile Proxy Handler Shortcuts (1 Upstream) Source: https://github.com/mholt/caddy-l4/blob/master/docs/handlers/proxy.md Demonstrates three equivalent ways to configure a single upstream using Caddyfile proxy syntax: short, mid-length, and long. ```caddyfile # handlers 1, 2 and 3 do the same: # 1 - the short syntax for 1 upstream proxy 192.168.0.1:8080 ``` ```caddyfile # 2 - the mid-length syntax for 1 upstream proxy { upstream 192.168.0.1:8080 } ``` ```caddyfile # 3 - the long syntax for 1 upstream proxy { upstream { dial 192.168.0.1:8080 } } ``` -------------------------------- ### Caddyfile Example: Proxying Loopback Connections Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/local_ip.md An example Caddyfile configuration for the Layer 4 app that proxies TCP connections on port 8080 to another machine, restricted to local IP addresses. ```caddyfile { layer4 { :8080 { @allowed local_ip 127.0.0.0/8 ::1 route @allowed { proxy another.machine.local:80 } } } } ``` -------------------------------- ### Caddyfile Syntax for WinBox Matcher Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/winbox.md Demonstrates the basic syntax for using the winbox matcher in a Caddyfile, including matching any WinBox traffic or specifying modes and usernames. ```caddyfile winbox ``` ```caddyfile winbox { modes [<...>] username # or username_regexp } ``` -------------------------------- ### HTTP Server Configuration (JSON) Source: https://github.com/mholt/caddy-l4/blob/master/docs/handlers/tls.md JSON configuration for an HTTP server, demonstrating basic routing with a static response. ```json { "apps": { "http": { "servers": { "srv0": { "listen": [ ":443" ], "routes": [ { "match": [ { "host": [ "*.example.com" ] } ], "handle": [ { "handler": "subroute", "routes": [ { "handle": [ { "body": "OK", "handler": "static_response", "status_code": 200 } ] } ] } ], "terminal": true } ] } } }, "layer4": { "servers": { "srv0": { "listen": [ ":4443" ], "routes": [ { "match": [ { "tls": { "alpn": [ "http/1.0", "http/1.1" ] } } ], "handle": [ { "handler": "tls" }, { "handler": "subroute", "routes": [ { "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "alpha.machine.local:80" ] } ] } ], "match": [ { "http": [ { "host": [ "alpha.example.com" ] } ] } ] }, { "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "beta.machine.local:80" ] } ] } ], "match": [ { "http": [ { "host": [ ``` -------------------------------- ### Basic DNS Matcher Configuration Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/dns.md Use the bare `dns` directive to match any DNS traffic. This is the simplest way to enable DNS matching. ```caddyfile dns ``` -------------------------------- ### Caddyfile Example: Throttle Layer 4 Connections Source: https://github.com/mholt/caddy-l4/blob/master/docs/handlers/throttle.md An example Caddyfile configuration for the Layer 4 app that throttles incoming TCP connections on port 80 and proxies them to localhost:8080. This configures both per-connection and total read limits, burst sizes, and an initial latency. ```caddyfile { layer4 { :80 { route { throttle { read_bytes_per_second 100000 total_read_bytes_per_second 500000 read_burst_size 20000 total_read_burst_size 100000 latency 2s } proxy localhost:8080 } } } } ``` -------------------------------- ### Caddyfile Configuration for Mixed HTTP/HTTPS Source: https://github.com/mholt/caddy-l4/blob/master/docs/examples/http_and_https_mix.md This configuration shows how to set up Caddy to listen on port 80 for HTTP and port 443 for HTTPS. It routes HTTP traffic for 'example.com' to 'localhost:80' and HTTPS traffic for 'example.com' to 'localhost:443'. It also includes a separate configuration for 'srv1' listening on port 6000. ```json { "apps": { "http": { "servers": { "main": { "listen": [ ":80" ], "routes": [ { "match": [ { "http": { "host": [ "example.com" ] } } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "localhost:80" ] } ] } ] }, { "match": [ { "tls": { "sni": [ "example.com" ] } } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "localhost:443" ] } ] } ] } ] }, "srv1": { "listen": [ ":6000" ], "routes": [ { "match": [ { "http": { "host": [ "example.com" ] } } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "localhost:80" ] } ] } ] }, { "match": [ { "tls": { "sni": [ "example.com" ] } } ], "handle": [ { "handler": "proxy", "upstreams": [ { "dial": [ "localhost:443" ] } ] } ] } ] } } }, "tls": { "automation": { "policies": [ { "subjects": [ "example.com" ] }, { "subjects": [ "localhost" ], "issuers": [ { "module": "internal" } ] } ] } } } } ``` -------------------------------- ### Caddyfile Proxy Handler Shortcuts (2 Upstreams) Source: https://github.com/mholt/caddy-l4/blob/master/docs/handlers/proxy.md Illustrates three equivalent methods for configuring two upstreams with Caddyfile proxy syntax: short, mid-length, and long. ```caddyfile # handlers 4, 5 and 6 do the same: # 4 - the short syntax for 2 upstreams proxy 192.168.0.1:8080 192.168.0.2:8080 ``` ```caddyfile # 5 - the mid-length syntax for 2 upstreams proxy { upstream 192.168.0.1:8080 upstream 192.168.0.2:8080 } ``` ```caddyfile # 6 - the long syntax for 2 upstreams proxy { upstream { dial 192.168.0.1:8080 } upstream { dial 192.168.0.2:8080 } } ``` -------------------------------- ### Configuring Proxy Protocol with Options Source: https://github.com/mholt/caddy-l4/blob/master/docs/handlers/proxy_protocol.md Configure the Proxy Protocol handler with specific options for IP allow/deny lists, fallback policies, and timeouts. This allows fine-grained control over which clients can send PROXY headers and how to handle connections that do not conform. ```caddyfile proxy_protocol { allow deny fallback_policy timeout } ``` -------------------------------- ### Echo Handler JSON Configuration Source: https://github.com/mholt/caddy-l4/blob/master/docs/handlers/echo.md The JSON configuration equivalent to the Caddyfile example, setting up a Layer 4 app with an echo handler on TCP port 8888. ```json { "apps": { "layer4": { "servers": { "srv0": { "listen": [ "0.0.0.0:8888" ], "routes": [ { "handle": [ { "handler": "echo" } ] } ] } } } } } ``` -------------------------------- ### Close Handler in Layer 4 App (JSON) Source: https://github.com/mholt/caddy-l4/blob/master/docs/handlers/close.md JSON configuration equivalent to the Caddyfile example, demonstrating how to configure the Close handler for the Layer 4 app. ```json { "apps": { "layer4": { "servers": { "srv0": { "listen": [ "0.0.0.0:8888" ], "routes": [ { "handle": [ { "handler": "close" } ] } ] } } } } } ``` -------------------------------- ### Basic Postgres Matcher Configuration Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/postgres.md Use the bare `postgres` directive to match any Postgres traffic. This is useful for simple routing scenarios. ```caddyfile postgres ``` -------------------------------- ### Proxy Protocol Handler JSON Configuration Source: https://github.com/mholt/caddy-l4/blob/master/docs/handlers/proxy_protocol.md Configure the proxy protocol handler with allow/deny lists and a fallback policy. This example also includes a subsequent proxy handler. ```json { "apps": { "layer4": { "servers": { "srv0": { "listen": [ "0.0.0.0:8080" ], "routes": [ { "handle": [ { "allow": [ "10.0.0.0/8" ], "deny": [ "10.0.1.0/24" ], "fallback_policy": "REJECT", "handler": "proxy_protocol", "timeout": 5000000000 }, { "handler": "proxy", "upstreams": [ { "dial": [ "10.0.0.1:8080" ] } ] } ] } ] }, "srv1": { "listen": [ "0.0.0.0:8081" ], "routes": [ { "handle": [ { "allow": [ "10.0.0.0/8", "192.168.0.0/16" ], "handler": "proxy_protocol", "timeout": 3000000000 }, { "handler": "proxy", "upstreams": [ { "dial": [ "192.168.0.1:8080" ] } ] } ] } ] } } } } } ``` -------------------------------- ### Basic RDP Matcher Source: https://github.com/mholt/caddy-l4/blob/master/docs/matchers/rdp.md Use the bare `rdp` directive to match any RDP traffic. ```caddyfile rdp ```