DEV Community: Venkatakrishna S The latest articles on DEV Community by Venkatakrishna S (@venkatakrishna_s). https://dev.to/venkatakrishna_s https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3910004%2Ff238e2c9-bb76-444f-a46c-87040d39f857.png DEV Community: Venkatakrishna S https://dev.to/venkatakrishna_s en Caddy-mcp: tunnel private MCP servers through Caddy over QUIC Venkatakrishna S Sun, 03 May 2026 11:20:27 +0000 https://dev.to/venkatakrishna_s/caddy-mcp-tunnel-private-mcp-servers-through-caddy-over-quic-4iag https://dev.to/venkatakrishna_s/caddy-mcp-tunnel-private-mcp-servers-through-caddy-over-quic-4iag <p><a href="https://github.com/venkatkrishna07/caddy-mcp" rel="noopener noreferrer">caddy-mcp</a> is a Caddy plugin for exposing MCP servers that live on private networks. The private box dials out to Caddy over QUIC, Caddy serves it as a normal HTTPS endpoint. No inbound ports, no third party in the request path.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Public Internet | v +--------------------+ | Caddy :443 | TLS, routing, middleware | reverse_proxy | +--------+-----------+ | v +--------------------+ | caddy-mcp plugin | QUIC listener :4443 | tunnel registry | token store | policy engine | MCP-aware ACLs | audit logger | structured logging +--------+-----------+ | | QUIC connection (TLS 1.3, multiplexed streams) v +--------------------+ | rift client | runs on private network | --protocol mcp | dials out — no inbound ports +--------+-----------+ | v +--------------------+ | MCP server | tools, resources, prompts | localhost:9090 | +--------------------+ </code></pre> </div> <p>The dial-out side runs <a href="https://github.com/venkatkrishna07/rift" rel="noopener noreferrer">rift</a> with <code>--protocol mcp</code>.</p> <p>Two modes per tunnel:</p> <p><strong>Transparent</strong> — Caddy forwards bytes untouched. The MCP server handles its own session and auth.</p> <p><strong>Aware</strong> — Caddy parses the JSON-RPC and enforces policy before anything reaches the upstream:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>reverse_proxy mcp-tunnel { transport mcp { tunnel code-server mode aware allow_tools read_file list_files search deny_tools execute_command shell_exec allow_resources "file:///repo/*" } } </code></pre> </div> <p>Denied calls get a JSON-RPC error back. There's per-user ACLs via a policy file (effective permissions are the intersection of tunnel and user ACLs), and a structured audit log of every call — token, user, tool, resource, decision, latency.</p> <p>Status: beta, single Caddy instance, no HA. Works for personal and small-team setups.</p> <p>Most of the details are in the repo: <a href="https://github.com/venkatkrishna07/caddy-mcp" rel="noopener noreferrer">github.com/venkatkrishna07/caddy-mcp</a>.</p> mcp go caddy quic