Backend HTTPS for Self-Signed Certificates
🚀 Installation & Setup
·
Updated 1 month ago
Setup
Via the UI
The toggle sits in the route wizard in Step 2 — Transport, right next to Force HTTPS.
- Create or edit a route
- In Step 2 enable the Backend HTTPS toggle
- Set Target Port (Step 1) to the backend's HTTPS port (e.g. 5001, 8006, 8443)
- Save
Via the API
# Enable Backend HTTPS
curl -X PUT https://gatecontrol.example.com/api/v1/routes/1 \
-H "Authorization: Bearer gc_..." \
-H "Content-Type: application/json" \
-d '{
"backend_https": true,
"target_port": 5001
}'
Important notes
- Only enable when the backend enforces HTTPS. If the backend also accepts HTTP, Backend HTTPS is unnecessary and wastes CPU on the additional TLS handshake.
insecure_skip_verifymeans: Caddy trusts any certificate — including forged ones. In the VPN context (Caddy → WireGuard peer) this is acceptable since the transport path is already encrypted.- Backend HTTPS only affects the Caddy → Backend connection. The Client → Caddy connection is configured separately via Force HTTPS.
- If Backend HTTPS is enabled but the backend only accepts HTTP, the connection fails (TLS handshake error).
- Backend HTTPS is only available for HTTP routes. For L4 routes there is the TLS mode (passthrough/terminate).
- For load balancing with Backend HTTPS: all backends of the route must support HTTPS — there is no per-backend configuration.
- For gateway routes the toggle has no effect on the Caddy leg (see section above). If the LAN service speaks HTTPS, this must be configured in the gateway itself.
See also
- concepts/routing.md — Full request flow for HTTP routes
- guides/adding-a-route.md — End-to-end route setup
- features/gateway-backend-https.md — HTTPS behind the gateway