Reverse Proxy
dockmesh ships with an optional embedded Caddy instance. When enabled, it runs as a regular container owned by dockmesh (not one of your stacks), bound to ports 80 and 443, and handles TLS termination via Let’s Encrypt for any hostname you route through it.
The proxy is off by default because plenty of users already run Traefik, nginx, Caddy-in-a-stack, or a cloud load balancer. Enable it only if you want dockmesh to manage the reverse proxy for you.
Enabling
Section titled “Enabling”Proxy (top-level sidebar entry) → toggle Enable proxy.
dockmesh spins up the Caddy container (labelled dockmesh.system=proxy), binds it to :80 and :443, and starts listening. The proxy page shows the enable state and the routes table; the underlying container shows up in the regular Containers view if you want to inspect it. Internally dockmesh reaches Caddy’s admin API at 127.0.0.1:2019 to push config reloads.
Port 80 must reach the server from the public internet for ACME HTTP-01 to work; open your firewall accordingly.
Adding a route
Section titled “Adding a route”Proxy → New route opens a small modal with three fields:
| Field | Example |
|---|---|
| Host | analytics.example.com |
| Upstream | analytics_web:80 (service name + port, or any hostname:port reachable from the proxy container) |
| TLS mode | auto · internal · none |
TLS modes:
- auto — Caddy obtains a cert from Let’s Encrypt via ACME HTTP-01. Default. Requires the hostname to resolve to this server and port 80 to be reachable.
- internal — Caddy generates a self-signed cert from its own internal CA. Useful for internal services where a public cert isn’t needed.
- none — HTTP only, no TLS.
On save, dockmesh writes the route to the database and reloads Caddy. Takes ~30 seconds for Let’s Encrypt to issue a cert for a brand-new hostname; the first request may see a 502 during that window.
Editing and removing routes
Section titled “Editing and removing routes”The routes table on the Proxy page has per-row Edit and Delete buttons. Save / delete reloads the Caddy config automatically via its admin API — no container restart. Bulk-select is not exposed yet; routes are one-at-a-time today.
What’s not in the UI
Section titled “What’s not in the UI”To keep the surface tight, several things Caddy can do are intentionally left out of the UI:
- No DNS-01 challenge / wildcard certificate configuration. If you need
*.example.com, run Caddy yourself or put a different proxy in front. - No raw Caddyfile editor. Routes are declarative records, not free-form config.
- No access-log viewer. Caddy logs go to stdout in the container; tail them via
docker logson the proxy container. - No bring-your-own-cert upload.
tls = noneplus a load balancer terminating TLS upstream is the supported workaround.
If any of these are a blocker for you, the sensible alternative is to disable the embedded proxy and run your own — see the Traefik integration guide.
Not using the embedded proxy?
Section titled “Not using the embedded proxy?”Disable the toggle. dockmesh stops the Caddy container. Publish your stacks’ ports with the usual compose ports: block and point your external proxy at them. The Traefik and Cloudflare Tunnel integration guides walk through the common patterns.