Behind Caddy
Run Drip behind Caddy with automatic TLS certificate management.
Overview
Caddy automatically obtains and renews SSL certificates, making it the easiest reverse proxy option. This guide uses system-installed Caddy via apt.
> Important: When tls_enabled: false, drip-server runs in plain TCP mode and MUST be placed behind a reverse proxy (Caddy, Nginx, etc.) that handles TLS termination. Never expose plain TCP mode directly to the internet.
Step 1: Install Caddy
Install Caddy with Cloudflare DNS plugin support:
# Install dependencies
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
# Add Caddy GPG key
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
# Add Caddy repository
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
# Install Caddy
sudo apt update && sudo apt install caddyFor wildcard certificates with Cloudflare DNS challenge, build Caddy with the DNS plugin:
# Install xcaddy
sudo apt install -y golang-go
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
# Build Caddy with Cloudflare DNS plugin
~/go/bin/xcaddy build --with github.com/caddy-dns/cloudflare
# Replace system Caddy
sudo mv caddy /usr/bin/caddy
sudo systemctl restart caddyStep 2: Create Drip Server Config
Create /etc/drip/config.yaml:
port: 8443
domain: tunnel.example.com
tls_enabled: false
public_port: 443
token: YOUR_SECRET_TOKEN
tcp_port_min: 20000
tcp_port_max: 20100
metrics_token: YOUR_METRICS_TOKENNote: tls_enabled: false means Drip runs in plain TCP mode, letting Caddy handle TLS.
Step 3: Configure Caddy
Edit /etc/caddy/Caddyfile:
{
email your-email@example.com
}
tunnel.example.com, *.tunnel.example.com {
tls {
dns cloudflare YOUR_CF_API_TOKEN
}
reverse_proxy localhost:8443 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
flush_interval -1
}
}Or without Cloudflare DNS challenge (HTTP challenge, requires ports 80/443 open):
{
email your-email@example.com
}
tunnel.example.com, *.tunnel.example.com {
reverse_proxy localhost:8443 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
flush_interval -1
}
}Step 4: Get Cloudflare API Token
For wildcard certificates, you need DNS challenge. Get a Cloudflare API token:
- Go to Cloudflare Dashboard → My Profile → API Tokens
- Create Token → Edit zone DNS template
- Set permissions: Zone - DNS - Edit
- Include specific zone: your domain
- Copy the token to your Caddyfile
Step 5: Start Services
# Reload Caddy configuration
sudo systemctl reload caddy
# Start Drip server (or use systemd service)
sudo systemctl start drip-serverAdvantages of Caddy
| Feature | Caddy | Manual Certbot |
|---|---|---|
| Certificate renewal | Automatic | Manual/cron |
| Wildcard certs | Built-in DNS challenge | Requires manual DNS |
| Configuration | Simple Caddyfile | Complex nginx.conf |
| HTTPS redirect | Automatic | Manual config |
| HTTP/2 & HTTP/3 | Automatic | Manual config |
Verify Setup
# Check Caddy status
sudo systemctl status caddy
# Check Caddy logs
sudo journalctl -u caddy -f
# Test health endpoint
curl https://tunnel.example.com/health