Docker Dynamic Upstreams for Caddy.
September 8, 2025 ยท View on GitHub
This package implements a docker dynamic upstreams module for Caddy.
Requires Caddy 2+.
Installation
Download from official website or build yourself using xcaddy.
Here is a Dockerfile example.
FROM caddy:<version>-builder AS builder
RUN xcaddy build \
--with github.com/invzhi/caddy-docker-upstreams
FROM caddy:<version>
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
Caddyfile Syntax
List all your domain or use On-Demand TLS.
app1.example.com,
app2.example.com,
app3.example.com {
reverse_proxy {
dynamic docker
}
}
Docker Labels
This module requires the Docker Labels to provide the necessary information.
| Label | Description |
|---|---|
com.caddyserver.http.enable | required, should be true |
com.caddyserver.http.network | optional, specify the docker network which caddy connecting through (if it is empty, the first network of container will be specified) |
com.caddyserver.http.upstream.port | required, specify the port |
As well as the labels corresponding to the matcher.
| Label | Matcher | Type |
|---|---|---|
com.caddyserver.http.matchers.protocol | protocol | string |
com.caddyserver.http.matchers.host | host | []string |
com.caddyserver.http.matchers.method | method | []string |
com.caddyserver.http.matchers.path | path | []string |
com.caddyserver.http.matchers.query | query | string |
com.caddyserver.http.matchers.expression | expression | string |
Here is a docker-compose.yml example with vaultwarden.
vaultwarden:
image: vaultwarden/server:${VAULTWARDEN_VERSION:-latest}
restart: unless-stopped
volumes:
- ${VAULTWARDEN_ROOT}:/data
labels:
com.caddyserver.http.enable: true
com.caddyserver.http.upstream.port: 80
com.caddyserver.http.matchers.host: "vaultwarden.example.com bitwarden.example.com"
environment:
DOMAIN: https://vaultwarden.example.com
Docker Client
Environment variables could configure the docker client:
DOCKER_HOSTto set the URL to the docker server.DOCKER_API_VERSIONto set the version of the API to use, leave empty for latest.DOCKER_CERT_PATHto specify the directory from which to load the TLS certificates ("ca.pem", "cert.pem", "key.pem').DOCKER_TLS_VERIFYto enable or disable TLS verification (off by default).