Control Every Edge.
-The modern web interface for Caddy Server. WAF protection, automatic HTTPS, geo blocking, L4 TCP/UDP proxying, traffic analytics, instance sync, and a full audit trail. All in one place.
+The modern web interface for Caddy Server. WAF protection, automatic HTTPS, mTLS, forward auth, geo blocking, L4 TCP/UDP proxying, traffic analytics, a full REST API, and a complete audit trail. All in one place.
Reverse Proxy
-Configure multiple upstreams, load balancing, custom headers, and per-host enable/disable with a clean editor.
+Multiple upstreams, load balancing (8 policies), health checks, custom headers, location rules, redirects, rewrites, and upstream DNS pinning.
L4 TCP/UDP Proxy
Layer 4 stream proxying for TCP and UDP. TLS SNI matching, proxy protocol, health checks, and geo blocking at the transport layer.
Forward Auth Portal
+Built-in identity provider for protecting apps without an external IdP. Credential and OAuth login, user groups, and per-host access control.
+WAF
@@ -96,23 +101,33 @@Auto HTTPS & CA
-Automatic TLS via Caddy ACME with Let's Encrypt and Cloudflare DNS-01. Built-in CA for issuing internal client certificates.
+Auto HTTPS & mTLS
+Automatic TLS via ACME with Let's Encrypt and Cloudflare DNS-01. Built-in CA for mutual TLS with role-based path access control.
Traffic Analytics
-Live request charts, country heatmap, top user agents, and blocked request log across any time range.
+Live request charts, protocol breakdown, country heatmap, top user agents, and blocked request log powered by ClickHouse.
Geo Blocking
-Block or allow by country, continent, ASN, CIDR, or exact IP per host, with priority allow-override rules.
+Block or allow by country, continent, ASN, CIDR, or exact IP per host, with priority allow-override rules and fail-closed mode.
+REST API
+Full REST API under /api/v1/ with Bearer token auth, API token management, and interactive OpenAPI 3.1.0 docs at /api-docs.
Access Control
-HTTP basic auth lists or full OAuth2/OIDC SSO via Authentik, Keycloak, Auth0, and any OIDC provider.
+HTTP basic auth, forward auth with user groups, mTLS RBAC with path-based rules, and three-tier user roles (Viewer, User, Admin).
+OAuth / SSO
+OAuth2/OIDC authentication with any compliant provider — Authentik, Keycloak, Auth0, and more. Account linking from the Profile page.
Audit Log
-Every configuration change is tracked and full-text searchable. See who did what and when.
+Every configuration change is tracked with user attribution and full-text search. Dark mode, mobile UI, and search across all views.
See every request,
in real time.
- Charts, country heatmaps, user agent breakdowns, and a paginated blocked-request log. Filter by host or pick any time range from the last hour to 30 days.
+Charts, protocol breakdown, country heatmaps, user agent breakdowns, and a paginated blocked-request log. Filter by host or pick any time range — all powered by ClickHouse with 90-day retention.
@@ -174,7 +189,7 @@
Every option,
without the YAML.
- The host editor exposes load balancing policies, Authentik forward auth, custom DNS resolvers, upstream DNS pinning, geo blocking rules, and HSTS all from a single form.
+The host editor exposes load balancing policies, forward auth, location rules, redirects, DNS pinning, geo blocking, mTLS, and WAF settings all from a single form.
@@ -195,6 +210,32 @@
Protect any app,
no external IdP.
+ The built-in forward auth portal redirects unauthenticated visitors to a login page, issues session cookies, and validates every request. Organise users into groups and control access per host — or bring your own OAuth provider.
+
+ Full REST API,
fully documented.
+ Manage every resource programmatically through /api/v1/ with Bearer token authentication. Interactive OpenAPI 3.1.0 docs at /api-docs, API token management with optional expiration, and three-tier role-based access.
+