Settings

Configure organization-wide defaults and DNS automation.

{/* ── Instance Sync ── */} } title="Instance Sync" description="Choose whether this instance acts independently, pushes configuration to slave nodes, or pulls configuration from a master." accent={A.sync} >

{instanceSync.modeFromEnv && ( Instance mode is configured via INSTANCE_MODE environment variable and cannot be changed at runtime. )} {instanceModeState?.message && ( )}

Instance mode

{isSlave && (

Master Connection

{instanceSync.tokenFromEnv && ( Sync token is configured via INSTANCE_SYNC_TOKEN environment variable and cannot be changed at runtime. )} {slaveTokenState?.message && ( )} {instanceSync.slave?.hasToken && !instanceSync.tokenFromEnv && ( A master sync token is configured. Leave the token field blank to keep it, or select “Remove existing token” to delete it. )}

Master sync token

Remove existing token

{instanceSync.slave?.lastSyncError ? ( {instanceSync.slave?.lastSyncAt ? `Last sync: ${instanceSync.slave.lastSyncAt} (${instanceSync.slave.lastSyncError})` : "No sync payload has been received yet."} ) : ( {instanceSync.slave?.lastSyncAt ? `Last sync: ${instanceSync.slave.lastSyncAt}` : "No sync payload has been received yet."} )}

)} {isMaster && (

Slave Instances

{slaveInstanceState?.message && ( )}

Instance name

Base URL

Slave API token

{syncState?.message && ( )}

{instanceSync.master?.instances.length === 0 && instanceSync.master?.envInstances.length === 0 && ( No slave instances configured yet. )} {instanceSync.master?.envInstances && instanceSync.master.envInstances.length > 0 && ( <>

Environment-configured (INSTANCE_SLAVES)

{instanceSync.master.envInstances.map((instance, index) => (

{instance.name}

{instance.url}

))} )} {instanceSync.master?.instances && instanceSync.master.instances.length > 0 && (

UI-configured instances

)} {instanceSync.master?.instances.map((instance) => (

{instance.name}

{instance.baseUrl}

{instance.lastSyncAt ? `Last sync: ${instance.lastSyncAt}` : "No sync yet"} {instance.lastSyncError && ( {instance.lastSyncError} )}

))}

)}

{/* ── General ── */} } title="General" accent={A.general} > {/* ── DNS Providers ── */} } title="DNS Providers" description="Configure DNS providers for ACME DNS-01 challenges (required for wildcard certificates). You can add multiple providers and select a default." accent={A.dnsProvider} > {dnsProviderState?.message && ( )} {isSlave && (

setDnsProviderOverride(!!v)} /> Override master settings

)} {/* Configured providers list */} {configuredProviders.length > 0 && (

Configured providers {configuredProviders.map((name) => { const def = dnsProviderDefinitions.find((p) => p.name === name); const isDefault = dnsProvider?.default === name; return (

{def?.displayName ?? name} {isDefault && }

{!isDefault && ( )}

); })} {dnsProvider?.default && ( )}

)} {/* Add / update provider form */}

{configuredProviders.length > 0 ? "Add or update provider" : "Add a provider"}

Provider

{/* Dynamic credential fields */} {selectedProvider && selectedProvider !== "none" && (() => { const providerDef = dnsProviderDefinitions.find((p) => p.name === selectedProvider); if (!providerDef) return null; const isUpdate = configuredProviders.includes(selectedProvider); return (

{providerDef.description && (

{providerDef.description}

)} {providerDef.fields.map((field) => (

{field.label}{field.required ? "" : " (optional)"} {field.description && (

{field.description}

)}

))} {isUpdate && ( Credentials are already configured. Leave fields blank to keep existing values. )} {providerDef.docsUrl && (

Provider documentation

)}

); })()} {isSlave && }

{/* ── DNS Resolvers ── */} } title="DNS Resolvers" description="Configure custom DNS resolvers for ACME DNS-01 challenges. These resolvers will be used to verify DNS records during certificate issuance." accent={A.dns} >

{dnsState?.message && ( )} {isSlave && (

setDnsOverride(!!v)} /> Override master settings

)}

Enable custom DNS resolvers

Primary resolvers

</div>
            <div className="flex flex-col gap-1.5">
              <Label htmlFor="dns-fallbacks" className="text-xs">Fallback resolvers</Label>
              <textarea
                id="dns-fallbacks"
                name="fallbacks"
                placeholder={"8.8.4.4\n1.0.0.1"}
                defaultValue={dns?.fallbacks?.join("\n") ?? ""}
                rows={2}
                disabled={isSlave && !dnsOverride}
                className="flex min-h-[56px] w-full rounded-md border border-input bg-transparent px-3 py-2 text-sm font-mono shadow-sm placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring disabled:cursor-not-allowed disabled:opacity-50 resize-none"
              />
            </div>
          </div>
          <div className="flex flex-col gap-1.5">
            <Label htmlFor="dns-timeout" className="text-xs">Query timeout</Label>
            <Input
              id="dns-timeout"
              name="timeout"
              placeholder="5s"
              defaultValue={dns?.timeout ?? ""}
              disabled={isSlave && !dnsOverride}
              className="h-8 text-sm w-32"
            />
            <p className="text-xs text-muted-foreground">e.g. 5s, 10s</p>
          </div>
          <InfoAlert>
            Custom DNS resolvers are useful when your DNS provider has slow propagation or when using split-horizon DNS.
            Common public resolvers: 1.1.1.1 (Cloudflare), 8.8.8.8 (Google), 9.9.9.9 (Quad9).
          </InfoAlert>
          <div className="flex justify-end">
            <Button type="submit" size="sm">Save DNS settings</Button>
          </div>
        </form>
      </SettingSection>

{/* ── Upstream DNS Pinning ── */}
      <SettingSection
        icon={<Pin className="h-4 w-4" />}
        title="Upstream DNS Pinning"
        description="Optionally resolve upstream hostnames at config apply time and pin reverse proxy dials to IP addresses. Avoids runtime DNS churn and lets you force IPv6, IPv4, or both."
        accent={A.upstreamDns}
      >
        <form action={upstreamDnsResolutionFormAction} className="flex flex-col gap-3">
          {upstreamDnsResolutionState?.message && (
            <StatusAlert message={upstreamDnsResolutionState.message} success={upstreamDnsResolutionState.success} />
          )}
          {isSlave && (
            <div className="flex items-center gap-2">
              <Checkbox
                id="udns-override"
                name="overrideEnabled"
                checked={upstreamDnsResolutionOverride}
                onCheckedChange={(v) => setUpstreamDnsResolutionOverride(!!v)}
              />
              <Label htmlFor="udns-override">Override master settings</Label>
            </div>
          )}
          <div className="flex items-center gap-2">
            <Checkbox
              id="udns-enabled"
              name="enabled"
              defaultChecked={upstreamDnsResolution?.enabled ?? false}
              disabled={isSlave && !upstreamDnsResolutionOverride}
            />
            <Label htmlFor="udns-enabled">Enable upstream DNS pinning during config apply</Label>
          </div>
          <div className="flex flex-col gap-1.5">
            <Label htmlFor="udns-family">Address family preference</Label>
            <Select
              name="family"
              defaultValue={upstreamDnsResolution?.family ?? "both"}
              disabled={isSlave && !upstreamDnsResolutionOverride}
            >
              <SelectTrigger id="udns-family" className="w-56">
                <SelectValue />
              </SelectTrigger>
              <SelectContent>
                <SelectItem value="both">Both (Prefer IPv6)</SelectItem>
                <SelectItem value="ipv6">IPv6 only</SelectItem>
                <SelectItem value="ipv4">IPv4 only</SelectItem>
              </SelectContent>
            </Select>
            <p className="text-xs text-muted-foreground">Both resolves AAAA + A with IPv6 preferred ordering.</p>
          </div>
          <InfoAlert>
            Host-level settings can override this default. Resolution happens at config save/reload time and resolved IPs are written into
            Caddy's active config. If one handler has multiple different HTTPS upstream hostnames, HTTPS pinning is skipped for those
            HTTPS upstreams to avoid SNI mismatch.
          </InfoAlert>
          <div className="flex justify-end">
            <Button type="submit" size="sm">Save upstream DNS pinning settings</Button>
          </div>
        </form>
      </SettingSection>

{/* ── Authentik Defaults ── */}
      <SettingSection
        icon={<UserCheck className="h-4 w-4" />}
        title="Authentik Defaults"
        description="Set default Authentik forward authentication values. These will be pre-filled when creating new proxy hosts but can be customized per host."
        accent={A.authentik}
      >
        <form action={authentikFormAction} className="flex flex-col gap-3">
          {authentikState?.message && (
            <StatusAlert message={authentikState.message} success={authentikState.success} />
          )}
          {isSlave && (
            <div className="flex items-center gap-2">
              <Checkbox
                id="authentik-override"
                name="overrideEnabled"
                checked={authentikOverride}
                onCheckedChange={(v) => setAuthentikOverride(!!v)}
              />
              <Label htmlFor="authentik-override">Override master settings</Label>
            </div>
          )}
          <div className="grid grid-cols-1 sm:grid-cols-2 gap-3">
            <div className="flex flex-col gap-1.5">
              <Label htmlFor="outpostDomain">Outpost domain</Label>
              <Input
                id="outpostDomain"
                name="outpostDomain"
                placeholder="outpost.goauthentik.io"
                defaultValue={authentik?.outpostDomain ?? ""}
                required
                disabled={isSlave && !authentikOverride}
                className="h-8 text-sm font-mono"
              />
            </div>
            <div className="flex flex-col gap-1.5">
              <Label htmlFor="outpostUpstream">Outpost upstream</Label>
              <Input
                id="outpostUpstream"
                name="outpostUpstream"
                placeholder="http://authentik-server:9000"
                defaultValue={authentik?.outpostUpstream ?? ""}
                required
                disabled={isSlave && !authentikOverride}
                className="h-8 text-sm font-mono"
              />
            </div>
          </div>
          <div className="flex flex-col gap-1.5">
            <Label htmlFor="authEndpoint">Auth endpoint</Label>
            <Input
              id="authEndpoint"
              name="authEndpoint"
              placeholder="/outpost.goauthentik.io/auth/caddy"
              defaultValue={authentik?.authEndpoint ?? ""}
              disabled={isSlave && !authentikOverride}
              className="h-8 text-sm font-mono"
            />
          </div>
          <div className="flex justify-end">
            <Button type="submit" size="sm">Save Authentik defaults</Button>
          </div>
        </form>
      </SettingSection>

{/* ── Metrics & Monitoring ── */}
      <SettingSection
        icon={<Activity className="h-4 w-4" />}
        title="Metrics & Monitoring"
        description={`Enable Caddy metrics exposure for Prometheus, Grafana, or other observability tools. Metrics will be available at http://caddy:${metrics?.port ?? 9090}/metrics on a dedicated port.`}
        accent={A.metrics}
      >
        <form action={metricsFormAction} className="flex flex-col gap-3">
          {metricsState?.message && (
            <StatusAlert message={metricsState.message} success={metricsState.success} />
          )}
          {isSlave && (
            <div className="flex items-center gap-2">
              <Checkbox
                id="metrics-override"
                name="overrideEnabled"
                checked={metricsOverride}
                onCheckedChange={(v) => setMetricsOverride(!!v)}
              />
              <Label htmlFor="metrics-override">Override master settings</Label>
            </div>
          )}
          <div className="flex items-center gap-2">
            <Checkbox
              id="metrics-enabled"
              name="enabled"
              defaultChecked={metrics?.enabled ?? false}
              disabled={isSlave && !metricsOverride}
            />
            <Label htmlFor="metrics-enabled">Enable metrics endpoint</Label>
          </div>
          <div className="flex flex-col gap-1.5">
            <Label htmlFor="metrics-port">Metrics port</Label>
            <Input
              id="metrics-port"
              name="port"
              type="number"
              defaultValue={metrics?.port ?? 9090}
              disabled={isSlave && !metricsOverride}
              className="h-8 text-sm w-32 font-mono"
            />
            <p className="text-xs text-muted-foreground">Separate from admin API on port 2019.</p>
          </div>
          <InfoAlert>
            After enabling metrics, configure your monitoring tool to scrape http://caddy-proxy-manager-caddy:{metrics?.port ?? 9090}/metrics from within the Docker network.
            To expose metrics externally, add a port mapping like “{metrics?.port ?? 9090}:{metrics?.port ?? 9090}” in docker-compose.yml.
          </InfoAlert>
          <div className="flex justify-end">
            <Button type="submit" size="sm">Save metrics settings</Button>
          </div>
        </form>
      </SettingSection>

{/* ── Access Logging ── */}
      <SettingSection
        icon={<ScrollText className="h-4 w-4" />}
        title="Access Logging"
        description="Enable HTTP access logging to track all requests going through your proxy hosts. Logs are stored in the caddy-logs directory."
        accent={A.logging}
      >
        <form action={loggingFormAction} className="flex flex-col gap-3">
          {loggingState?.message && (
            <StatusAlert message={loggingState.message} success={loggingState.success} />
          )}
          {isSlave && (
            <div className="flex items-center gap-2">
              <Checkbox
                id="logging-override"
                name="overrideEnabled"
                checked={loggingOverride}
                onCheckedChange={(v) => setLoggingOverride(!!v)}
              />
              <Label htmlFor="logging-override">Override master settings</Label>
            </div>
          )}
          <div className="flex items-center gap-2">
            <Checkbox
              id="logging-enabled"
              name="enabled"
              defaultChecked={logging?.enabled ?? false}
              disabled={isSlave && !loggingOverride}
            />
            <Label htmlFor="logging-enabled">Enable access logging</Label>
          </div>
          <div className="flex flex-col gap-1.5">
            <Label htmlFor="logging-format">Log format</Label>
            <Select
              name="format"
              defaultValue={logging?.format ?? "json"}
              disabled={isSlave && !loggingOverride}
            >
              <SelectTrigger id="logging-format" className="w-56">
                <SelectValue />
              </SelectTrigger>
              <SelectContent>
                <SelectItem value="json">JSON</SelectItem>
                <SelectItem value="console">Console (Common Log Format)</SelectItem>
              </SelectContent>
            </Select>
          </div>
          <InfoAlert>
            Access logs are stored in the caddy-logs Docker volume.
            View with: <code className="text-xs font-mono">docker exec caddy-proxy-manager-caddy tail -f /logs/access.log</code>
          </InfoAlert>
          <div className="flex justify-end">
            <Button type="submit" size="sm">Save logging settings</Button>
          </div>
        </form>
      </SettingSection>

{/* ── Global Geoblocking ── */}
      <SettingSection
        icon={<MapPin className="h-4 w-4" />}
        title="Global Geoblocking"
        description="Configure default geoblocking rules applied to all proxy hosts. Per-host rules can merge with or override these global defaults."
        accent={A.geoblock}
      >
        <form action={geoBlockFormAction} className="flex flex-col gap-3">
          {geoBlockState?.message && (
            <StatusAlert message={geoBlockState.message} success={geoBlockState.success} />
          )}
          <GeoBlockFields
            initialValues={{ geoblock: globalGeoBlock ?? null, geoblock_mode: "merge" }}
            showModeSelector={false}
          />
          <div className="flex justify-end">
            <Button type="submit" size="sm">Save geoblocking settings</Button>
          </div>
        </form>
      </SettingSection>

{/* ── OAuth Providers ── */}
      <SettingSection
        icon={<KeyRound className="h-4 w-4" />}
        title="OAuth Providers"
        description="Configure OAuth/OIDC providers for single sign-on. Users can log in via these providers in addition to local credentials."
        accent={A.oauth}
      >
        <OAuthProvidersSection initialProviders={oauthProviders} baseUrl={baseUrl} />
      </SettingSection>
    </div>
  );
}

{title}

Settings

Master Connection

Slave Instances