Caddy HTTPS reverse proxy for PicoClaw

Caddy can terminate TLS and reverse-proxy to PicoClaw with minimal configuration—ideal when you want certificates without maintaining certbot jobs by hand. PicoClaw stays on a local port; Caddy listens on 443 and forwards traffic.

1. Why Caddy?

• Automatic ACME (Let’s Encrypt) with sensible defaults
• Readable single-file Caddyfile
• Works well on VPS and homelab VMs

2. Basic pattern

Run PicoClaw on 127.0.0.1:PORT, then configure Caddy to reverse_proxy that upstream. Restrict admin routes and add rate limits for public webhooks.

3. nginx vs Caddy

If you already run nginx everywhere, stay consistent. Choose Caddy when you value auto-TLS and shorter configs. See also nginx HTTPS guide.

4. Next steps

• Cloudflare Tunnel when you cannot open ports
• Security checklist
• systemd for process supervision