Layer 4 (TCP/UDP) app for Caddy
Find a file
tannevaled bf180f4a22
proxy: Optionally close connections when a peer goes unhealthy (#425)
* l4proxy: optionally close connections when a peer goes unhealthy

By default the proxy lets established connections run until they close on
their own, even after their backend is marked unhealthy. For failover that
is undesirable: clients should be moved off a backend as soon as it goes
down (e.g. a demoted database primary).

Add an opt-in HealthChecks.CloseConnectionsOnUnhealthy (Caddyfile:
close_connections_on_unhealthy). When enabled, a peer's currently-open
proxied connections are force-closed the moment an active health check
marks it unhealthy; closing the upstream side makes the proxy's io.Copy
loops return and the sessions tear down so clients reconnect to a healthy
peer. Default false preserves existing behavior.

Per-peer open connections are tracked only when the option is enabled.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* l4proxy: docs + integration test for close_connections_on_unhealthy

Document the close_connections_on_unhealthy health-check option in
docs/handlers/proxy.md and add a caddyfile_adapt integration test. The
feature's logic (peer connection tracking + the active-check trigger) is
already unit-tested.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* l4proxy: address review on close-if-unhealthy

- Move the option from HealthChecks into ActiveHealthChecks: it is only
  wired to active checks, so it now lives where it applies instead of in
  the general health-checks block (fixes the misleading placement).
- Rename it to the more concise close_if_unhealthy (JSON + Caddyfile).
- Add a duplicate guard in UnmarshalCaddyfile so specifying it twice is
  rejected, matching the other options.
- Update docs, the caddyfile_adapt test, and unit tests (incl. a
  duplicate-directive case).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-03 19:01:16 +03:00
.github build(deps): bump the actions-deps group with 2 updates (#441) 2026-07-02 09:48:55 +03:00
docs proxy: Optionally close connections when a peer goes unhealthy (#425) 2026-07-03 19:01:16 +03:00
integration proxy: Optionally close connections when a peer goes unhealthy (#425) 2026-07-03 19:01:16 +03:00
layer4 lint: Modernize reverse loops over slices (#417) 2026-05-04 17:42:57 +03:00
modules proxy: Optionally close connections when a peer goes unhealthy (#425) 2026-07-03 19:01:16 +03:00
.editorconfig Adjust dependabot and lint workflows, fix linter issues (#321) 2025-08-25 08:23:55 -06:00
.gitattributes Adjust dependabot and lint workflows, fix linter issues (#321) 2025-08-25 08:23:55 -06:00
.gitignore proxyprotocol: Rewrite proxy protocol matcher (#58) 2022-04-20 11:46:01 -06:00
.golangci.yml chore: Enable modernize linter and make minor tweaks (#388) 2026-03-02 11:21:55 +03:00
go.mod l4proxy: add Prometheus metrics (#431) 2026-07-02 11:01:56 -06:00
go.sum deps: Bump Caddy to v2.11.4 (#443) 2026-07-02 10:23:37 +03:00
imports.go feat: Enable routing based on placeholders and custom variables (#396) 2026-04-16 19:22:31 +03:00
LICENSE Initial commit 2020-05-11 12:42:09 -06:00
README.md tls: Add placeholders for general and mutual TLS connection details (#67) 2026-03-04 21:24:34 +03:00

Project Conncept: a TCP/UDP app for Caddy

Project Conncept is an experimental layer 4 app for Caddy. It facilitates composable handling of raw TCP/UDP connections based on properties of the connection or the beginning of the stream.

With it, you can listen on sockets/ports and express logic such as:

  • "Echo all input back to the client."
  • "Proxy all the raw bytes to 10.0.3.14:1592."
  • "If connection is TLS, terminate TLS then proxy all bytes to :5000."
  • "Terminate TLS; then if it is HTTP, proxy to localhost:80; otherwise echo."
  • "If connection is TLS, proxy to :443 without terminating; if HTTP, proxy to :80; if SSH, proxy to :22."
  • "If the HTTP Host is example.com or the TLS ServerName is example.com, then proxy to 192.168.0.4."
  • "Block connections from these IP ranges: ..."
  • "Throttle data flow to simulate slow connections."
  • And much more!

⚠️ This app is very capable and flexible, but is still in development. Please expect breaking changes.

Because this is a Caddy app, it can be used alongside other Caddy apps such as the HTTP server or TLS certificate manager.

Note

This is not an official repository of the Caddy Web Server organization.

Introduction

Important

Documentation is available in the docs directory. For better understanding, you may also read the code, especially type definitions and their comments. It's actually a pretty simple code base. See below for tips and examples writing config.

This app works similarly to the http app. You define servers, and each server consists of routes. A route has a set of matchers and handlers; if a connection matches, the associated handlers are invoked.

Refer the docs for lists of matchers and handlers included in the package.

Compiling

The recommended way is to use xcaddy:

$ xcaddy build --with github.com/mholt/caddy-l4

Alternatively, to hack on the plugin code, you can clone it down, then build and run like so:

  1. Download or clone this repo: git clone https://github.com/mholt/caddy-l4.git
  2. In the project folder, run xcaddy just like you would run caddy. For example: xcaddy list-modules --versions (you should see the layer4 modules).

Writing config

This app supports Caddyfile, but you may also use Caddy's native JSON format to configure it. I highly recommend this caddy-json-schema plugin by @abiosoft which can give you auto-complete and documentation right in your editor as you write your config!

See below for some examples to help you get started.

Config examples

The following configuration examples are included in the documentation:

Other examples could be found in the documentation files describing specific matchers and handlers, as well as in issues and pull requests.