Configuring Caddy for HTTPS

Caddy can act as a reverse proxy and HTTPS terminator for SkyView.
It simplifies HTTPS setup - automatically obtaining and renewing trusted certificates from Let’s Encrypt, or serving your own self-signed certificates for testing or offline use.

1) Why use Caddy

  • Enables HTTPS for PWA installation and WebRTC features.
  • Provides automatic certificate management (Let’s Encrypt).
  • Optionally supports self-signed certificates for local/offline networks.
  • Allows you to expose SkyView securely at https://skyview.local or your LAN IP.

2) Docker Compose example

Here’s a typical setup using Caddy in front of SkyView:

services:
  caddy:
    image: caddy:2
    container_name: caddy
    network_mode: host
    # ports:
    #   - "80:80"
    #   - "443:443"
    volumes:
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro
      - ./data:/data
      - ./config:/config
    extra_hosts:
      - "host.docker.internal:host-gateway"
    depends_on:
      - sky-view
    restart: unless-stopped

  sky-view:
    image: impleo/sky-view:0.1.8
    # Host network required for UDP multicast support
    network_mode: host
    environment:
      SKY_VIEW_SERVER_ADDR: ":8100"
      SKY_VIEW_DB_PATH: "/data/sky-view.db"
      SKY_VIEW_LOG_PATH: "/data/sky-view.log"
      SKY_VIEW_LOG_MAX_SIZE_MB: "10"
      SKY_VIEW_LOG_MAX_BACKUPS: "5"
      SKY_VIEW_LOG_MAX_AGE_DAYS: "0"
    volumes:
      - sky-view-data:/data
    restart: unless-stopped

volumes:
  sky-view-data:

3) Caddyfile basics

The Caddyfile defines how Caddy proxies traffic to the SkyView backend.

Example (trusted certificate via Let’s Encrypt)

skyview.mydomain.com {
    reverse_proxy http://host.docker.internal:8100
}
  • Caddy will automatically obtain a Let’s Encrypt certificate for skyview.mydomain.com.
  • Requires your domain to resolve publicly to the host’s IP (port 80/443 accessible).

Example (local LAN hostname)

If your server is reachable as skyview.local or skyview.lan inside your network:

# HTTPS for localhost and skyview.local (internal cert works well with hostnames)
localhost, skyview.local {
    reverse_proxy http://host.docker.internal:8100
    tls internal
}

The directive tls internal tells Caddy to generate a local CA and issue self-signed certificates trusted by that CA.
You can then install the CA certificate on client devices.

4) Using self-signed certificates

A) Enable Caddy internal CA

In the Caddyfile:

https://skyview.local {
    reverse_proxy http://host.docker.internal:8100
    tls internal
}

B) Export and install the root CA

Caddy stores the internal CA in /data/caddy/pki/authorities/local/.
You can copy the root CA file (usually root.crt) and install it as a trusted certificate on your devices:

Linux / Mac / Windows - Linux: /usr/local/share/ca-certificates/ - macOS: open in Keychain Access → System → Certificates → Trust Always - Windows: double-click → * - Double-click the *.crt file - Click "Install Certificate..." - Choose "Local Machine" (not Current User) → Next - Select "Place all certificates in the following store" - Click "Browse..." → Select "Trusted Root Certification Authorities" - Click OK → Next → Finish - Click "Yes" on the security warning

⚠️ Completely close all browser windows (check Task Manager to ensure the browser process is fully closed), then reopen.

Mobile Devices - Android: Settings → Security → Encryption & credentials → Install from storage
- iOS: AirDrop or email the .crt, then Settings → General → About → Certificate Trust Settings

After that, browsers will trust the HTTPS connection to your LAN host.

5) Using trusted certificates (Let’s Encrypt)

If your SkyView server is accessible via a public DNS name, Caddy can automatically fetch and renew valid certificates.

Caddyfile

skyview.example.com {
    reverse_proxy http://host.docker.internal:8100
    tls {
        email admin@example.com
    }
}

Caddy will: - Request a certificate from Let’s Encrypt. - Handle renewal automatically. - Store certificates in /data and /config.

Ensure ports 80 and 443 are open to the internet and that your DNS points to your server’s IP.

6) Testing HTTPS locally (no external DNS)

If you just want to test HTTPS on localhost, you can use:

https://localhost {
    reverse_proxy http://host.docker.internal:8100
    tls internal
}

Then open:

https://localhost

For browsers to trust it, import the Caddy internal CA as described earlier.

7) Verify setup

After running:

docker compose up -d

Check:

docker logs caddy

You should see:

... obtaining certificate for skyview.local
... serving HTTPS on :443

Then visit:

https://skyview.local

8) Common troubleshooting

Issue Cause Solution
Browser shows “Not secure” Self-signed cert not trusted Install the Caddy root CA
Let’s Encrypt fails Ports 80/443 blocked or DNS misconfigured Open ports, verify DNS
PWA/WebRTC fails on LAN Using plain HTTP Enable HTTPS (self-signed or trusted)
Device doesn’t trust cert Missing CA installation Install CA on each device

9) References