5 Why Caddy + Envoy

Note

Caddy sidecars for per-pod TLS and forward auth. Envoy as the sole rootful component for L4 SNI passthrough and L7 load balancing.

5.1 The sidecar pattern

5.2 Caddy for TLS termination

5.3 DNS-01 with Cloudflare

5.4 Forward auth with FQDN

5.5 Envoy as the ingress layer

5.6 Split-horizon DNS

5.7 Tailscale for sensitive services

# Why Caddy + Envoy

::: {.callout-note}
Caddy sidecars for per-pod TLS and forward auth. Envoy as the sole rootful component for L4 SNI passthrough and L7 load balancing.
:::

## The sidecar pattern

## Caddy for TLS termination

## DNS-01 with Cloudflare

## Forward auth with FQDN

## Envoy as the ingress layer

## Split-horizon DNS

## Tailscale for sensitive services