Reverse proxy (Caddy)

Caddy terminates TLS, obtains a free Let’s Encrypt certificate, and proxies traffic to Hiveloom running on localhost. One command to install on Debian/Ubuntu:


sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' \
  | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' \
  | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install -y caddy

For other distros, see the Caddy install docs .

Confirm:


caddy version              # should print v2.x
systemctl is-active caddy  # should print "active"

Drop in the Hiveloom Caddyfile

Hiveloom ships a helper that prints a ready-to-use Caddyfile for your hostname:


sudo mkdir -p /etc/caddy/Caddyfile.d
hiveloom tls render --host hiveloom.example.com --email [email protected] \
  | sudo tee /etc/caddy/Caddyfile.d/hiveloom.caddy
sudo systemctl reload caddy

Replace hiveloom.example.com and [email protected]. The email is used by Let’s Encrypt for renewal notifications.

The first request to https://hiveloom.example.com/ will trigger Caddy’s ACME flow. Give it 10–30 seconds, then go to TLS to verify.

Already running Nginx, Traefik, or Cloudflare Tunnel?

You don’t need Caddy. Point your existing proxy at Hiveloom on 127.0.0.1:3000 and forward the right headers.

Required forwarded headers, a working Nginx config, and the Cloudflare-Tunnel route.

Bring your own reverse proxy

Next: TLS.