Help in using caddy as reverse proxy for LXD API

I’m trying to setup Caddy webserver as a reverse proxy in front of LXD API.

The problem so far seems to be client authentication: Caddy terminates TLS connection, so it wont send the client certificate to LXD backend.

This is a direct connection to LXD (Port 8443, without reverse proxy):

curl -ks --cert ~/lxd.crt | jq .metadata.auth

Note: ~/lxd.crt is a concatenation of client.crt and client.key of my local LXD client, which is already added to the trusted list in the remote server.

And this is using Caddy as reverse proxy:

curl -s --cert ~/lxd.crt | jq .metadata.auth

For reference, this is the output of lxc config show:

  core.https_address: :8443

In Caddy forum they recommend passing the certificate as a HTTP header to the backend. So this is my Caddyfile: {
	reverse_proxy {
		transport http {
			tls_trusted_ca_certs /var/snap/lxd/common/lxd/server.crt
		header_up Client-Cert {tls_client_certificate_der_base64}

But this is not working.

My questions: Is this actually possible?, Does LXD accept the client certificate for authentication as a HTTP header? And if so, which header?

Thank you for your time.

I’m not an expert on this so I could be totally wrong haha, but to my knowledge, LXD has its own self-signed certificate, so I would assume that Caddy is trying to add a certificate on top of LXD’s existing self-signed certificate it uses, which wouldn’t work. I think your best bet would be to change the certificate that LXD uses to a genuine certificate (that you can generate with lets encrypt) instead of using Caddy to get SSL on it.

I’m not an expert either, but I don’t think that’s the problem here.

That’s what I was trying to avoid. But at the end I think that’s my only choice.

I’ve tried reverse proxying with caddy before and that’s the only solution that worked for me