Merge pull request #393 from openziti/v0.4_caddy

Caddy Integration (First Round) (#330, #388, #392)
2025-01-03 12:39:07 +01:00 · 2023-08-31 20:47:58 -04:00 · 2023-08-31 20:47:58 -04:00 · ca6a11cc59
commit ca6a11cc59
parent 4522f38827 f34d23e0ef
28 changed files with 3150 additions and 453 deletions
--- a/.github/workflows/ci-build.yml
+++ b/.github/workflows/ci-build.yml
@ -20,12 +20,12 @@ jobs:
      - name: setup-go
        uses: actions/setup-go@v3
        with:
-          go-version: 1.19.3
+          go-version: 1.21.0

      - name: setup-node
        uses: actions/setup-node@v3
        with:
-          node-version: 16.x
+          node-version: 18.x

      - run: npm install
        working-directory: ui
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -24,12 +24,12 @@ jobs:

      - uses: actions/setup-go@v3
        with:
-          go-version: '>=1.19.3'
+          go-version: '>=1.21.0'
          cache: true

      - uses: actions/setup-node@v3
        with:
-          node-version: 16.x
+          node-version: 18.x

      - run: npm install
        working-directory: ui
@ -66,7 +66,7 @@ jobs:

      - uses: actions/setup-go@v3
        with:
-          go-version: '>=1.19.3'
+          go-version: '>=1.21.0'
          cache: true

      - uses: actions/setup-node@v3
@ -108,7 +108,7 @@ jobs:

      - uses: actions/setup-go@v3
        with:
-          go-version: '>=1.19.3'
+          go-version: '>=1.21.0'
          cache: true

      - uses: actions/setup-node@v3
@ -157,7 +157,7 @@ jobs:

      - uses: actions/setup-go@v3
        with:
-          go-version: '>=1.19.3'
+          go-version: '>=1.21.0'
          cache: true

      - uses: actions/setup-node@v3
@ -201,7 +201,7 @@ jobs:

      - uses: actions/setup-go@v3
        with:
-          go-version: '>=1.19.3'
+          go-version: '>=1.21.0'
          cache: true

      - uses: actions/setup-node@v3
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,7 +1,21 @@
+# v0.4.6
+
+FEATURE: New `--backend-mode caddy`, which pre-processes a `Caddyfile` allowing a `bind` statement to work like this: `bind {{ .ZrokBindAddress }}`. Allows development of complicated API gateways and multi-backend shares, while maintaining the simple, ephemeral sharing model provided by `zrok` (https://github.com/openziti/zrok/issues/391)
+
+CHANGE: `--backend-mode web` has been refactored to utilize Caddy as the integrated web server. This provides for a much nicer web-based file browsing experience, while maintaining the existing web server facilities (https://github.com/openziti/zrok/issues/392)
+
+CHANGE: Updated the golang version for release builds to `1.21.0` and the node version to `18.x`
+
+CHANGE: Added `FrontendEndponts` to `sdk.Share`, returning selected frontend URLs to callers of `sdk.CreateShare`
+
+CHANGE: Added a short alias `-b` for `--backend-mode` to improve CLI ergonomics (https://github.com/openziti/zrok/issues/397)
+
 # v0.4.5

 FEATURE: New health check endpoint (`/health`), which verifies that the underlying SQL store and metrics repository (InfluxDB, if configured) are operating correctly (https://github.com/openziti/zrok/issues/372)

+CHANGE: Updated to golang v1.21.0 and node v18.x
+
 FIX: `zrok admin bootstrap` and `zrok enable` both broken with latest OpenZiti releases (tested with `v0.30.0`); updated to latest OpenZiti golang SDK (https://github.com/openziti/zrok/issues/389)

 # v0.4.4
--- a/cmd/zrok/main.go
+++ b/cmd/zrok/main.go
@ -5,6 +5,7 @@ import (
 	"github.com/openziti/transport/v2"
 	"github.com/openziti/transport/v2/tcp"
 	"github.com/openziti/transport/v2/udp"
+	_ "github.com/openziti/zrok/endpoints"
 	"github.com/openziti/zrok/tui"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
--- a/cmd/zrok/reserve.go
+++ b/cmd/zrok/reserve.go
@ -1,16 +1,12 @@
 package main

 import (
-	httptransport "github.com/go-openapi/runtime/client"
+	"fmt"
 	"github.com/openziti/zrok/environment"
-	"github.com/openziti/zrok/rest_client_zrok/share"
-	"github.com/openziti/zrok/rest_model_zrok"
 	"github.com/openziti/zrok/sdk"
 	"github.com/openziti/zrok/tui"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"strings"
 )

 func init() {
@ -33,7 +29,7 @@ func newReserveCommand() *reserveCommand {
 	command := &reserveCommand{cmd: cmd}
 	cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (<username:password>,...)")
 	cmd.Flags().StringArrayVar(&command.frontendSelection, "frontends", []string{"public"}, "Selected frontends to use for the share")
-	cmd.Flags().StringVar(&command.backendMode, "backend-mode", "proxy", "The backend mode {proxy, web, <tcpTunnel, udpTunnel>}")
+	cmd.Flags().StringVarP(&command.backendMode, "backend-mode", "b", "proxy", "The backend mode {proxy, web, <tcpTunnel, udpTunnel>, caddy}")
 	cmd.Run = command.run
 	return command
 }
@ -58,6 +54,18 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) {

 	case "web":
 		target = args[1]
+
+	case "tcpTunnel":
+		target = args[1]
+
+	case "udpTunnel":
+		target = args[1]
+
+	case "caddy":
+		target = args[1]
+
+	default:
+		tui.Error(fmt.Sprintf("invalid backend mode '%v'; expected {proxy, web, tcpTunnel, udpTunnel, caddy}", cmd.backendMode), nil)
 	}

 	env, err := environment.LoadRoot()
@ -72,49 +80,25 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) {
 		tui.Error("unable to load environment; did you 'zrok enable'?", nil)
 	}

-	zrok, err := env.Client()
-	if err != nil {
-		if !panicInstead {
-			tui.Error("unable to create zrok client", err)
-		}
-		panic(err)
-	}
-	auth := httptransport.APIKeyAuth("X-TOKEN", "header", env.Environment().Token)
-	req := share.NewShareParams()
-	req.Body = &rest_model_zrok.ShareRequest{
-		EnvZID:               env.Environment().ZitiIdentity,
-		ShareMode:            string(shareMode),
-		BackendMode:          cmd.backendMode,
-		BackendProxyEndpoint: target,
-		AuthScheme:           string(sdk.None),
-		Reserved:             true,
+	req := &sdk.ShareRequest{
+		BackendMode: sdk.BackendMode(cmd.backendMode),
+		ShareMode:   shareMode,
+		Auth:        cmd.basicAuth,
+		Target:      target,
 	}
 	if shareMode == sdk.PublicShareMode {
-		req.Body.FrontendSelection = cmd.frontendSelection
+		req.Frontends = cmd.frontendSelection
 	}
-	if len(cmd.basicAuth) > 0 {
-		logrus.Infof("configuring basic auth")
-		req.Body.AuthScheme = string(sdk.Basic)
-		for _, pair := range cmd.basicAuth {
-			tokens := strings.Split(pair, ":")
-			if len(tokens) == 2 {
-				req.Body.AuthUsers = append(req.Body.AuthUsers, &rest_model_zrok.AuthUser{Username: strings.TrimSpace(tokens[0]), Password: strings.TrimSpace(tokens[1])})
-			} else {
-				panic(errors.Errorf("invalid username:password pair '%v'", pair))
-			}
-		}
-	}
-
-	resp, err := zrok.Share.Share(req, auth)
+	shr, err := sdk.CreateShare(env, req)
 	if err != nil {
 		if !panicInstead {
-			tui.Error("unable to create tunnel", err)
+			tui.Error("unable to create share", err)
 		}
 		panic(err)
 	}

-	logrus.Infof("your reserved share token is '%v'", resp.Payload.ShrToken)
-	for _, fpe := range resp.Payload.FrontendProxyEndpoints {
+	logrus.Infof("your reserved share token is '%v'", shr.Token)
+	for _, fpe := range shr.FrontendEndpoints {
 		logrus.Infof("reserved frontend endpoint: %v", fpe)
 	}
 }
--- a/cmd/zrok/sharePrivate.go
+++ b/cmd/zrok/sharePrivate.go
@ -3,24 +3,18 @@ package main
 import (
 	"fmt"
 	tea "github.com/charmbracelet/bubbletea"
-	"github.com/go-openapi/runtime"
-	httptransport "github.com/go-openapi/runtime/client"
 	"github.com/openziti/zrok/endpoints"
 	"github.com/openziti/zrok/endpoints/proxy"
 	"github.com/openziti/zrok/endpoints/tcpTunnel"
 	"github.com/openziti/zrok/endpoints/udpTunnel"
 	"github.com/openziti/zrok/environment"
-	"github.com/openziti/zrok/rest_client_zrok"
-	"github.com/openziti/zrok/rest_client_zrok/share"
-	"github.com/openziti/zrok/rest_model_zrok"
+	"github.com/openziti/zrok/environment/env_core"
 	"github.com/openziti/zrok/sdk"
 	"github.com/openziti/zrok/tui"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"os"
 	"os/signal"
-	"strings"
 	"syscall"
 )

@ -44,7 +38,7 @@ func newSharePrivateCommand() *sharePrivateCommand {
 	}
 	command := &sharePrivateCommand{cmd: cmd}
 	cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (<username:password>,...")
-	cmd.Flags().StringVar(&command.backendMode, "backend-mode", "proxy", "The backend mode {proxy, web, tcpTunnel, udpTunnel}")
+	cmd.Flags().StringVarP(&command.backendMode, "backend-mode", "b", "proxy", "The backend mode {proxy, web, tcpTunnel, udpTunnel, caddy}")
 	cmd.Flags().BoolVar(&command.headless, "headless", false, "Disable TUI and run headless")
 	cmd.Flags().BoolVar(&command.insecure, "insecure", false, "Enable insecure TLS certificate validation for <target>")
 	cmd.Run = command.run
@ -74,11 +68,15 @@ func (cmd *sharePrivateCommand) run(_ *cobra.Command, args []string) {
 	case "udpTunnel":
 		target = args[0]

+	case "caddy":
+		target = args[0]
+		cmd.headless = true
+
 	default:
-		tui.Error(fmt.Sprintf("invalid backend mode '%v'; expected {proxy, web, tcpTunnel}", cmd.backendMode), nil)
+		tui.Error(fmt.Sprintf("invalid backend mode '%v'; expected {proxy, web, tcpTunnel, udpTunnel, caddy}", cmd.backendMode), nil)
 	}

-	env, err := environment.LoadRoot()
+	root, err := environment.LoadRoot()
 	if err != nil {
 		if !panicInstead {
 			tui.Error("unable to load environment", err)
@ -86,11 +84,11 @@ func (cmd *sharePrivateCommand) run(_ *cobra.Command, args []string) {
 		panic(err)
 	}

-	if !env.IsEnabled() {
+	if !root.IsEnabled() {
 		tui.Error("unable to load environment; did you 'zrok enable'?", nil)
 	}

-	zif, err := env.ZitiIdentityNamed(env.EnvironmentIdentityName())
+	zif, err := root.ZitiIdentityNamed(root.EnvironmentIdentityName())
 	if err != nil {
 		if !panicInstead {
 			tui.Error("unable to load ziti identity configuration", err)
@ -98,36 +96,13 @@ func (cmd *sharePrivateCommand) run(_ *cobra.Command, args []string) {
 		panic(err)
 	}

-	zrok, err := env.Client()
-	if err != nil {
-		if !panicInstead {
-			tui.Error("unable to create zrok client", err)
+	req := &sdk.ShareRequest{
+		BackendMode: sdk.BackendMode(cmd.backendMode),
+		ShareMode:   sdk.PrivateShareMode,
+		Auth:        cmd.basicAuth,
+		Target:      target,
 	}
-		panic(err)
-	}
-
-	auth := httptransport.APIKeyAuth("X-TOKEN", "header", env.Environment().Token)
-	req := share.NewShareParams()
-	req.Body = &rest_model_zrok.ShareRequest{
-		EnvZID:               env.Environment().ZitiIdentity,
-		ShareMode:            string(sdk.PrivateShareMode),
-		BackendMode:          cmd.backendMode,
-		BackendProxyEndpoint: target,
-		AuthScheme:           string(sdk.None),
-	}
-	if len(cmd.basicAuth) > 0 {
-		logrus.Infof("configuring basic auth")
-		req.Body.AuthScheme = string(sdk.Basic)
-		for _, pair := range cmd.basicAuth {
-			tokens := strings.Split(pair, ":")
-			if len(tokens) == 2 {
-				req.Body.AuthUsers = append(req.Body.AuthUsers, &rest_model_zrok.AuthUser{Username: strings.TrimSpace(tokens[0]), Password: strings.TrimSpace(tokens[1])})
-			} else {
-				panic(errors.Errorf("invalid username:password pair '%v'", pair))
-			}
-		}
-	}
-	resp, err := zrok.Share.Share(req, auth)
+	shr, err := sdk.CreateShare(root, req)
 	if err != nil {
 		if !panicInstead {
 			tui.Error("unable to create share", err)
@ -135,61 +110,84 @@ func (cmd *sharePrivateCommand) run(_ *cobra.Command, args []string) {
 		panic(err)
 	}

+	shareDescription := fmt.Sprintf("access your share with: %v", tui.Code.Render(fmt.Sprintf("zrok access private %v", shr.Token)))
+	mdl := newShareModel(shr.Token, []string{shareDescription}, sdk.PrivateShareMode, sdk.BackendMode(cmd.backendMode))
+	if !cmd.headless {
+		proxy.SetCaddyLoggingWriter(mdl)
+	}
+
 	c := make(chan os.Signal)
 	signal.Notify(c, os.Interrupt, syscall.SIGTERM)
 	go func() {
 		<-c
-		cmd.destroy(env.Environment().ZitiIdentity, resp.Payload.ShrToken, zrok, auth)
+		cmd.shutdown(root, shr)
 		os.Exit(0)
 	}()

-	requestsChan := make(chan *endpoints.Request, 1024)
+	requests := make(chan *endpoints.Request, 1024)
+
 	switch cmd.backendMode {
 	case "proxy":
 		cfg := &proxy.BackendConfig{
 			IdentityPath:    zif,
 			EndpointAddress: target,
-			ShrToken:        resp.Payload.ShrToken,
+			ShrToken:        shr.Token,
 			Insecure:        cmd.insecure,
-			RequestsChan:    requestsChan,
+			Requests:        requests,
 		}
-		_, err = cmd.proxyBackendMode(cfg)
+
+		be, err := proxy.NewBackend(cfg)
 		if err != nil {
 			if !panicInstead {
-				tui.Error("unable to create proxy backend handler", err)
+				tui.Error("error creating proxy backend", err)
 			}
 			panic(err)
 		}

+		go func() {
+			if err := be.Run(); err != nil {
+				logrus.Errorf("error running http proxy backend: %v", err)
+			}
+		}()
+
 	case "web":
-		cfg := &proxy.WebBackendConfig{
+		cfg := &proxy.CaddyWebBackendConfig{
 			IdentityPath: zif,
 			WebRoot:      target,
-			ShrToken:     resp.Payload.ShrToken,
-			RequestsChan: requestsChan,
+			ShrToken:     shr.Token,
+			Requests:     requests,
 		}
-		_, err = cmd.webBackendMode(cfg)
+
+		be, err := proxy.NewCaddyWebBackend(cfg)
 		if err != nil {
 			if !panicInstead {
-				tui.Error("unable to create web backend handler", err)
+				tui.Error("error creating web backend", err)
 			}
 			panic(err)
 		}

+		go func() {
+			if err := be.Run(); err != nil {
+				logrus.Errorf("error running http web backend: %v", err)
+			}
+		}()
+
 	case "tcpTunnel":
 		cfg := &tcpTunnel.BackendConfig{
 			IdentityPath:    zif,
 			EndpointAddress: target,
-			ShrToken:        resp.Payload.ShrToken,
-			RequestsChan:    requestsChan,
+			ShrToken:        shr.Token,
+			RequestsChan:    requests,
 		}
+
 		be, err := tcpTunnel.NewBackend(cfg)
 		if err != nil {
 			if !panicInstead {
-				tui.Error("unable to create tcpTunnel backend", err)
+				tui.Error("error creating tcpTunnel backend", err)
 			}
 			panic(err)
 		}
+
 		go func() {
 			if err := be.Run(); err != nil {
 				logrus.Errorf("error running tcpTunnel backend: %v", err)
@ -200,38 +198,60 @@ func (cmd *sharePrivateCommand) run(_ *cobra.Command, args []string) {
 		cfg := &udpTunnel.BackendConfig{
 			IdentityPath:    zif,
 			EndpointAddress: target,
-			ShrToken:        resp.Payload.ShrToken,
-			RequestsChan:    requestsChan,
+			ShrToken:        shr.Token,
+			RequestsChan:    requests,
 		}
+
 		be, err := udpTunnel.NewBackend(cfg)
 		if err != nil {
 			if !panicInstead {
-				tui.Error("unable to create udpTunnel backend", err)
+				tui.Error("error creating udpTunnel backend", err)
 			}
 			panic(err)
 		}
+
 		go func() {
 			if err := be.Run(); err != nil {
 				logrus.Errorf("error running udpTunnel backend: %v", err)
 			}
 		}()

+	case "caddy":
+		cfg := &proxy.CaddyfileBackendConfig{
+			CaddyfilePath: target,
+			Shr:           shr,
+			Requests:      requests,
+		}
+
+		be, err := proxy.NewCaddyfileBackend(cfg)
+		if err != nil {
+			cmd.shutdown(root, shr)
+			if !panicInstead {
+				tui.Error("error creating caddy backend", err)
+			}
+			panic(err)
+		}
+
+		go func() {
+			if err := be.Run(); err != nil {
+				logrus.Errorf("error running caddy backend: %v", err)
+			}
+		}()
+
 	default:
 		tui.Error("invalid backend mode", nil)
 	}

 	if cmd.headless {
-		logrus.Infof("allow other to access your share with the following command:\nzrok access private %v", resp.Payload.ShrToken)
+		logrus.Infof("allow other to access your share with the following command:\nzrok access private %v", shr.Token)
 		for {
 			select {
-			case req := <-requestsChan:
+			case req := <-requests:
 				logrus.Infof("%v -> %v %v", req.RemoteAddr, req.Method, req.Path)
 			}
 		}

 	} else {
-		shareDescription := fmt.Sprintf("access your share with: %v", tui.Code.Render(fmt.Sprintf("zrok access private %v", resp.Payload.ShrToken)))
-		mdl := newShareModel(resp.Payload.ShrToken, []string{shareDescription}, sdk.PrivateShareMode, sdk.BackendMode(cmd.backendMode))
 		logrus.SetOutput(mdl)
 		prg := tea.NewProgram(mdl, tea.WithAltScreen())
 		mdl.prg = prg
@ -239,7 +259,7 @@ func (cmd *sharePrivateCommand) run(_ *cobra.Command, args []string) {
 		go func() {
 			for {
 				select {
-				case req := <-requestsChan:
+				case req := <-requests:
 					prg.Send(req)
 				}
 			}
@ -249,51 +269,15 @@ func (cmd *sharePrivateCommand) run(_ *cobra.Command, args []string) {
 			tui.Error("An error occurred", err)
 		}

-		close(requestsChan)
-		cmd.destroy(env.Environment().ZitiIdentity, resp.Payload.ShrToken, zrok, auth)
+		close(requests)
+		cmd.shutdown(root, shr)
 	}
 }

-func (cmd *sharePrivateCommand) proxyBackendMode(cfg *proxy.BackendConfig) (endpoints.RequestHandler, error) {
-	be, err := proxy.NewBackend(cfg)
-	if err != nil {
-		return nil, errors.Wrap(err, "error creating http proxy backend")
+func (cmd *sharePrivateCommand) shutdown(root env_core.Root, shr *sdk.Share) {
+	logrus.Debugf("shutting down '%v'", shr.Token)
+	if err := sdk.DeleteShare(root, shr); err != nil {
+		logrus.Errorf("error shutting down '%v': %v", shr.Token, err)
 	}
-
-	go func() {
-		if err := be.Run(); err != nil {
-			logrus.Errorf("error running http proxy backend: %v", err)
-		}
-	}()
-
-	return be, nil
-}
-
-func (cmd *sharePrivateCommand) webBackendMode(cfg *proxy.WebBackendConfig) (endpoints.RequestHandler, error) {
-	be, err := proxy.NewWebBackend(cfg)
-	if err != nil {
-		return nil, errors.Wrap(err, "error creating http web backend")
-	}
-
-	go func() {
-		if err := be.Run(); err != nil {
-			logrus.Errorf("error running http web backend: %v", err)
-		}
-	}()
-
-	return be, nil
-}
-
-func (cmd *sharePrivateCommand) destroy(id string, shrToken string, zrok *rest_client_zrok.Zrok, auth runtime.ClientAuthInfoWriter) {
-	logrus.Debugf("shutting down '%v'", shrToken)
-	req := share.NewUnshareParams()
-	req.Body = &rest_model_zrok.UnshareRequest{
-		EnvZID:   id,
-		ShrToken: shrToken,
-	}
-	if _, err := zrok.Share.Unshare(req, auth); err == nil {
 	logrus.Debugf("shutdown complete")
-	} else {
-		logrus.Errorf("error shutting down: %v", err)
-	}
 }
--- a/cmd/zrok/sharePublic.go
+++ b/cmd/zrok/sharePublic.go
@ -3,17 +3,12 @@ package main
 import (
 	"fmt"
 	tea "github.com/charmbracelet/bubbletea"
-	"github.com/go-openapi/runtime"
-	httptransport "github.com/go-openapi/runtime/client"
 	"github.com/openziti/zrok/endpoints"
 	"github.com/openziti/zrok/endpoints/proxy"
 	"github.com/openziti/zrok/environment"
-	"github.com/openziti/zrok/rest_client_zrok"
-	"github.com/openziti/zrok/rest_client_zrok/share"
-	"github.com/openziti/zrok/rest_model_zrok"
+	"github.com/openziti/zrok/environment/env_core"
 	"github.com/openziti/zrok/sdk"
 	"github.com/openziti/zrok/tui"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"os"
@ -44,7 +39,7 @@ func newSharePublicCommand() *sharePublicCommand {
 	command := &sharePublicCommand{cmd: cmd}
 	cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (<username:password>,...)")
 	cmd.Flags().StringArrayVar(&command.frontendSelection, "frontends", []string{"public"}, "Selected frontends to use for the share")
-	cmd.Flags().StringVar(&command.backendMode, "backend-mode", "proxy", "The backend mode {proxy, web}")
+	cmd.Flags().StringVarP(&command.backendMode, "backend-mode", "b", "proxy", "The backend mode {proxy, web, caddy}")
 	cmd.Flags().BoolVar(&command.headless, "headless", false, "Disable TUI and run headless")
 	cmd.Flags().BoolVar(&command.insecure, "insecure", false, "Enable insecure TLS certificate validation for <target>")
 	cmd.Run = command.run
@ -68,11 +63,15 @@ func (cmd *sharePublicCommand) run(_ *cobra.Command, args []string) {
 	case "web":
 		target = args[0]

+	case "caddy":
+		target = args[0]
+		cmd.headless = true
+
 	default:
 		tui.Error(fmt.Sprintf("invalid backend mode '%v'; expected {proxy, web}", cmd.backendMode), nil)
 	}

-	env, err := environment.LoadRoot()
+	root, err := environment.LoadRoot()
 	if err != nil {
 		if !panicInstead {
 			tui.Error("unable to load environment", err)
@ -80,49 +79,26 @@ func (cmd *sharePublicCommand) run(_ *cobra.Command, args []string) {
 		panic(err)
 	}

-	if !env.IsEnabled() {
+	if !root.IsEnabled() {
 		tui.Error("unable to load environment; did you 'zrok enable'?", nil)
 	}

-	zif, err := env.ZitiIdentityNamed(env.EnvironmentIdentityName())
+	zif, err := root.ZitiIdentityNamed(root.EnvironmentIdentityName())
 	if err != nil {
 		if !panicInstead {
-			tui.Error("unable to load ziti identity configuration", err)
+			tui.Error("unable to access ziti identity file", err)
 		}
 		panic(err)
 	}

-	zrok, err := env.Client()
-	if err != nil {
-		if !panicInstead {
-			tui.Error("unable to create zrok client", err)
+	req := &sdk.ShareRequest{
+		BackendMode: sdk.BackendMode(cmd.backendMode),
+		ShareMode:   sdk.PublicShareMode,
+		Frontends:   cmd.frontendSelection,
+		Auth:        cmd.basicAuth,
+		Target:      target,
 	}
-		panic(err)
-	}
-
-	auth := httptransport.APIKeyAuth("X-TOKEN", "header", env.Environment().Token)
-	req := share.NewShareParams()
-	req.Body = &rest_model_zrok.ShareRequest{
-		EnvZID:               env.Environment().ZitiIdentity,
-		ShareMode:            string(sdk.PublicShareMode),
-		FrontendSelection:    cmd.frontendSelection,
-		BackendMode:          cmd.backendMode,
-		BackendProxyEndpoint: target,
-		AuthScheme:           string(sdk.None),
-	}
-	if len(cmd.basicAuth) > 0 {
-		logrus.Infof("configuring basic auth")
-		req.Body.AuthScheme = string(sdk.Basic)
-		for _, pair := range cmd.basicAuth {
-			tokens := strings.Split(pair, ":")
-			if len(tokens) == 2 {
-				req.Body.AuthUsers = append(req.Body.AuthUsers, &rest_model_zrok.AuthUser{Username: strings.TrimSpace(tokens[0]), Password: strings.TrimSpace(tokens[1])})
-			} else {
-				panic(errors.Errorf("invalid username:password pair '%v'", pair))
-			}
-		}
-	}
-	resp, err := zrok.Share.Share(req, auth)
+	shr, err := sdk.CreateShare(root, req)
 	if err != nil {
 		if !panicInstead {
 			tui.Error("unable to create share", err)
@ -130,62 +106,103 @@ func (cmd *sharePublicCommand) run(_ *cobra.Command, args []string) {
 		panic(err)
 	}

+	mdl := newShareModel(shr.Token, shr.FrontendEndpoints, sdk.PublicShareMode, sdk.BackendMode(cmd.backendMode))
+	if !cmd.headless {
+		proxy.SetCaddyLoggingWriter(mdl)
+	}
+
 	c := make(chan os.Signal)
 	signal.Notify(c, os.Interrupt, syscall.SIGTERM)
 	go func() {
 		<-c
-		cmd.destroy(env.Environment().ZitiIdentity, resp.Payload.ShrToken, zrok, auth)
+		cmd.shutdown(root, shr)
 		os.Exit(0)
 	}()

-	requestsChan := make(chan *endpoints.Request, 1024)
+	requests := make(chan *endpoints.Request, 1024)
+
 	switch cmd.backendMode {
 	case "proxy":
 		cfg := &proxy.BackendConfig{
 			IdentityPath:    zif,
 			EndpointAddress: target,
-			ShrToken:        resp.Payload.ShrToken,
+			ShrToken:        shr.Token,
 			Insecure:        cmd.insecure,
-			RequestsChan:    requestsChan,
+			Requests:        requests,
 		}
-		_, err = cmd.proxyBackendMode(cfg)
+
+		be, err := proxy.NewBackend(cfg)
 		if err != nil {
 			if !panicInstead {
-				tui.Error("unable to create proxy backend handler", err)
+				tui.Error("error creating proxy backend", err)
 			}
 			panic(err)
 		}

+		go func() {
+			if err := be.Run(); err != nil {
+				logrus.Errorf("error running http proxy backend: %v", err)
+			}
+		}()
+
 	case "web":
-		cfg := &proxy.WebBackendConfig{
+		cfg := &proxy.CaddyWebBackendConfig{
 			IdentityPath: zif,
 			WebRoot:      target,
-			ShrToken:     resp.Payload.ShrToken,
-			RequestsChan: requestsChan,
+			ShrToken:     shr.Token,
+			Requests:     requests,
 		}
-		_, err = cmd.webBackendMode(cfg)
+
+		be, err := proxy.NewCaddyWebBackend(cfg)
 		if err != nil {
 			if !panicInstead {
-				tui.Error("unable to create web backend handler", err)
+				tui.Error("unable to create web backend", err)
 			}
 			panic(err)
 		}

+		go func() {
+			if err := be.Run(); err != nil {
+				logrus.Errorf("error running http web backend: %v", err)
+			}
+		}()
+
+	case "caddy":
+		cfg := &proxy.CaddyfileBackendConfig{
+			CaddyfilePath: target,
+			Shr:           shr,
+			Requests:      requests,
+		}
+
+		be, err := proxy.NewCaddyfileBackend(cfg)
+		if err != nil {
+			cmd.shutdown(root, shr)
+			if !panicInstead {
+				tui.Error("unable to create caddy backend", err)
+			}
+			panic(err)
+		}
+
+		go func() {
+			if err := be.Run(); err != nil {
+				logrus.Errorf("error running caddy backend: %v", err)
+			}
+		}()
+
 	default:
 		tui.Error("invalid backend mode", nil)
 	}

 	if cmd.headless {
-		logrus.Infof("access your zrok share at the following endpoints:\n %v", strings.Join(resp.Payload.FrontendProxyEndpoints, "\n"))
+		logrus.Infof("access your zrok share at the following endpoints:\n %v", strings.Join(shr.FrontendEndpoints, "\n"))
 		for {
 			select {
-			case req := <-requestsChan:
+			case req := <-requests:
 				logrus.Infof("%v -> %v %v", req.RemoteAddr, req.Method, req.Path)
 			}
 		}

 	} else {
-		mdl := newShareModel(resp.Payload.ShrToken, resp.Payload.FrontendProxyEndpoints, sdk.PublicShareMode, sdk.BackendMode(cmd.backendMode))
 		logrus.SetOutput(mdl)
 		prg := tea.NewProgram(mdl, tea.WithAltScreen())
 		mdl.prg = prg
@ -193,7 +210,7 @@ func (cmd *sharePublicCommand) run(_ *cobra.Command, args []string) {
 		go func() {
 			for {
 				select {
-				case req := <-requestsChan:
+				case req := <-requests:
 					prg.Send(req)
 				}
 			}
@ -203,51 +220,15 @@ func (cmd *sharePublicCommand) run(_ *cobra.Command, args []string) {
 			tui.Error("An error occurred", err)
 		}

-		close(requestsChan)
-		cmd.destroy(env.Environment().ZitiIdentity, resp.Payload.ShrToken, zrok, auth)
+		close(requests)
+		cmd.shutdown(root, shr)
 	}
 }

-func (cmd *sharePublicCommand) proxyBackendMode(cfg *proxy.BackendConfig) (endpoints.RequestHandler, error) {
-	be, err := proxy.NewBackend(cfg)
-	if err != nil {
-		return nil, errors.Wrap(err, "error creating http proxy backend")
+func (cmd *sharePublicCommand) shutdown(root env_core.Root, shr *sdk.Share) {
+	logrus.Debugf("shutting down '%v'", shr.Token)
+	if err := sdk.DeleteShare(root, shr); err != nil {
+		logrus.Errorf("error shutting down '%v': %v", shr.Token, err)
 	}
-
-	go func() {
-		if err := be.Run(); err != nil {
-			logrus.Errorf("error running http proxy backend: %v", err)
-		}
-	}()
-
-	return be, nil
-}
-
-func (cmd *sharePublicCommand) webBackendMode(cfg *proxy.WebBackendConfig) (endpoints.RequestHandler, error) {
-	be, err := proxy.NewWebBackend(cfg)
-	if err != nil {
-		return nil, errors.Wrap(err, "error creating http web backend")
-	}
-
-	go func() {
-		if err := be.Run(); err != nil {
-			logrus.Errorf("error running http web backend: %v", err)
-		}
-	}()
-
-	return be, nil
-}
-
-func (cmd *sharePublicCommand) destroy(id string, shrToken string, zrok *rest_client_zrok.Zrok, auth runtime.ClientAuthInfoWriter) {
-	logrus.Debugf("shutting down '%v'", shrToken)
-	req := share.NewUnshareParams()
-	req.Body = &rest_model_zrok.UnshareRequest{
-		EnvZID:   id,
-		ShrToken: shrToken,
-	}
-	if _, err := zrok.Share.Unshare(req, auth); err == nil {
 	logrus.Debugf("shutdown complete")
-	} else {
-		logrus.Errorf("error shutting down: %v", err)
-	}
 }
--- a/cmd/zrok/shareReserved.go
+++ b/cmd/zrok/shareReserved.go
@ -6,13 +6,14 @@ import (
 	httptransport "github.com/go-openapi/runtime/client"
 	"github.com/openziti/zrok/endpoints"
 	"github.com/openziti/zrok/endpoints/proxy"
+	"github.com/openziti/zrok/endpoints/tcpTunnel"
+	"github.com/openziti/zrok/endpoints/udpTunnel"
 	"github.com/openziti/zrok/environment"
 	"github.com/openziti/zrok/rest_client_zrok/metadata"
 	"github.com/openziti/zrok/rest_client_zrok/share"
 	"github.com/openziti/zrok/rest_model_zrok"
 	"github.com/openziti/zrok/sdk"
 	"github.com/openziti/zrok/tui"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
@ -45,7 +46,7 @@ func (cmd *shareReservedCommand) run(_ *cobra.Command, args []string) {
 	shrToken := args[0]
 	var target string

-	env, err := environment.LoadRoot()
+	root, err := environment.LoadRoot()
 	if err != nil {
 		if !panicInstead {
 			tui.Error("error loading environment", err)
@ -53,18 +54,18 @@ func (cmd *shareReservedCommand) run(_ *cobra.Command, args []string) {
 		panic(err)
 	}

-	if !env.IsEnabled() {
+	if !root.IsEnabled() {
 		tui.Error("unable to load environment; did you 'zrok enable'?", nil)
 	}

-	zrok, err := env.Client()
+	zrok, err := root.Client()
 	if err != nil {
 		if !panicInstead {
 			tui.Error("unable to create zrok client", err)
 		}
 		panic(err)
 	}
-	auth := httptransport.APIKeyAuth("X-TOKEN", "header", env.Environment().Token)
+	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().Token)
 	req := metadata.NewGetShareDetailParams()
 	req.ShrToken = shrToken
 	resp, err := zrok.Metadata.GetShareDetail(req, auth)
@ -78,8 +79,11 @@ func (cmd *shareReservedCommand) run(_ *cobra.Command, args []string) {
 	if target == "" {
 		target = resp.Payload.BackendProxyEndpoint
 	}
+	if sdk.BackendMode(resp.Payload.BackendMode) == sdk.CaddyBackendMode {
+		cmd.headless = true
+	}

-	zif, err := env.ZitiIdentityNamed(env.EnvironmentIdentityName())
+	zif, err := root.ZitiIdentityNamed(root.EnvironmentIdentityName())
 	if err != nil {
 		if !panicInstead {
 			tui.Error("unable to load ziti identity configuration", err)
@ -106,6 +110,19 @@ func (cmd *shareReservedCommand) run(_ *cobra.Command, args []string) {
 		logrus.Infof("using existing backend proxy endpoint: %v", target)
 	}

+	var shareDescription string
+	switch resp.Payload.ShareMode {
+	case string(sdk.PublicShareMode):
+		shareDescription = resp.Payload.FrontendEndpoint
+	case string(sdk.PrivateShareMode):
+		shareDescription = fmt.Sprintf("access your share with: %v", tui.Code.Render(fmt.Sprintf("zrok access private %v", shrToken)))
+	}
+
+	mdl := newShareModel(shrToken, []string{shareDescription}, sdk.ShareMode(resp.Payload.ShareMode), sdk.BackendMode(resp.Payload.BackendMode))
+	if !cmd.headless {
+		proxy.SetCaddyLoggingWriter(mdl)
+	}
+
 	requestsChan := make(chan *endpoints.Request, 1024)
 	switch resp.Payload.BackendMode {
 	case "proxy":
@ -114,9 +131,10 @@ func (cmd *shareReservedCommand) run(_ *cobra.Command, args []string) {
 			EndpointAddress: target,
 			ShrToken:        shrToken,
 			Insecure:        cmd.insecure,
-			RequestsChan:    requestsChan,
+			Requests:        requestsChan,
 		}
-		_, err := cmd.proxyBackendMode(cfg)
+
+		be, err := proxy.NewBackend(cfg)
 		if err != nil {
 			if !panicInstead {
 				tui.Error("unable to create proxy backend handler", err)
@ -124,21 +142,99 @@ func (cmd *shareReservedCommand) run(_ *cobra.Command, args []string) {
 			panic(err)
 		}

+		go func() {
+			if err := be.Run(); err != nil {
+				logrus.Errorf("error running http proxy backend: %v", err)
+			}
+		}()
+
 	case "web":
-		cfg := &proxy.WebBackendConfig{
+		cfg := &proxy.CaddyWebBackendConfig{
 			IdentityPath: zif,
 			WebRoot:      target,
 			ShrToken:     shrToken,
-			RequestsChan: requestsChan,
+			Requests:     requestsChan,
 		}
-		_, err := cmd.webBackendMode(cfg)
+
+		be, err := proxy.NewCaddyWebBackend(cfg)
 		if err != nil {
 			if !panicInstead {
-				tui.Error("unable to create web backend handler", err)
+				tui.Error("error creating web backend", err)
 			}
 			panic(err)
 		}

+		go func() {
+			if err := be.Run(); err != nil {
+				logrus.Errorf("error running http web backend: %v", err)
+			}
+		}()
+
+	case "tcpTunnel":
+		cfg := &tcpTunnel.BackendConfig{
+			IdentityPath:    zif,
+			EndpointAddress: target,
+			ShrToken:        shrToken,
+			RequestsChan:    requestsChan,
+		}
+
+		be, err := tcpTunnel.NewBackend(cfg)
+		if err != nil {
+			if !panicInstead {
+				tui.Error("error creating tcpTunnel backend", err)
+			}
+			panic(err)
+		}
+
+		go func() {
+			if err := be.Run(); err != nil {
+				logrus.Errorf("error running tcpTunnel backend: %v", err)
+			}
+		}()
+
+	case "udpTunnel":
+		cfg := &udpTunnel.BackendConfig{
+			IdentityPath:    zif,
+			EndpointAddress: target,
+			ShrToken:        shrToken,
+			RequestsChan:    requestsChan,
+		}
+
+		be, err := udpTunnel.NewBackend(cfg)
+		if err != nil {
+			if !panicInstead {
+				tui.Error("error creating udpTunnel backend", err)
+			}
+			panic(err)
+		}
+
+		go func() {
+			if err := be.Run(); err != nil {
+				logrus.Errorf("error running udpTunnel backend: %v", err)
+			}
+		}()
+
+	case "caddy":
+		cfg := &proxy.CaddyfileBackendConfig{
+			CaddyfilePath: target,
+			Shr:           &sdk.Share{Token: shrToken, FrontendEndpoints: []string{resp.Payload.FrontendEndpoint}},
+			Requests:      requestsChan,
+		}
+
+		be, err := proxy.NewCaddyfileBackend(cfg)
+		if err != nil {
+			if !panicInstead {
+				tui.Error("error creating caddy backend", err)
+			}
+			panic(err)
+		}
+
+		go func() {
+			if err := be.Run(); err != nil {
+				logrus.Errorf("error running caddy backend: %v", err)
+			}
+		}()
+
 	default:
 		tui.Error("invalid backend mode", nil)
 	}
@ -158,15 +254,6 @@ func (cmd *shareReservedCommand) run(_ *cobra.Command, args []string) {
 			}
 		}
 	} else {
-		var shareDescription string
-		switch resp.Payload.ShareMode {
-		case string(sdk.PublicShareMode):
-			shareDescription = resp.Payload.FrontendEndpoint
-		case string(sdk.PrivateShareMode):
-			shareDescription = fmt.Sprintf("access your share with: %v", tui.Code.Render(fmt.Sprintf("zrok access private %v", shrToken)))
-		}
-
-		mdl := newShareModel(shrToken, []string{shareDescription}, sdk.ShareMode(resp.Payload.ShareMode), sdk.BackendMode(resp.Payload.BackendMode))
 		logrus.SetOutput(mdl)
 		prg := tea.NewProgram(mdl, tea.WithAltScreen())
 		mdl.prg = prg
@ -187,33 +274,3 @@ func (cmd *shareReservedCommand) run(_ *cobra.Command, args []string) {
 		close(requestsChan)
 	}
 }
-
-func (cmd *shareReservedCommand) proxyBackendMode(cfg *proxy.BackendConfig) (endpoints.RequestHandler, error) {
-	be, err := proxy.NewBackend(cfg)
-	if err != nil {
-		return nil, errors.Wrap(err, "error creating http proxy backend")
-	}
-
-	go func() {
-		if err := be.Run(); err != nil {
-			logrus.Errorf("error running http proxy backend: %v", err)
-		}
-	}()
-
-	return be, nil
-}
-
-func (cmd *shareReservedCommand) webBackendMode(cfg *proxy.WebBackendConfig) (endpoints.RequestHandler, error) {
-	be, err := proxy.NewWebBackend(cfg)
-	if err != nil {
-		return nil, errors.Wrap(err, "error creating http web backend")
-	}
-
-	go func() {
-		if err := be.Run(); err != nil {
-			logrus.Errorf("error running http web backend: %v", err)
-		}
-	}()
-
-	return be, nil
-}
--- a/cmd/zrok/shareTui.go
+++ b/cmd/zrok/shareTui.go
@ -218,6 +218,10 @@ func (m *shareModel) Write(p []byte) (n int, err error) {
 	return len(p), nil
 }

+func (shareModel) Close() error {
+	return nil
+}
+
 func wrap(lines []string, width int) []string {
 	ret := make([]string, 0)
 	for _, line := range lines {
--- a/controller/store/sql/postgresql/013_v0_4_6_backend_mode_caddy.sql
+++ b/controller/store/sql/postgresql/013_v0_4_6_backend_mode_caddy.sql
@ -0,0 +1,3 @@
+-- +migrate Up
+
+alter type backend_mode add value 'caddy';
--- a/controller/store/sql/sqlite3/013_v0_4_6_backend_mode_caddy.sql
+++ b/controller/store/sql/sqlite3/013_v0_4_6_backend_mode_caddy.sql
@ -0,0 +1,54 @@
+-- +migrate Up
+
+alter table shares rename to shares_old;
+create table shares (
+    id                        integer             primary key,
+    environment_id            integer             constraint fk_environments_shares references environments on delete cascade,
+    z_id                      string              not null unique,
+    token                     string              not null unique,
+    share_mode                string              not null,
+    backend_mode              string              not null,
+    frontend_selection        string,
+    frontend_endpoint         string,
+    backend_proxy_endpoint    string,
+    reserved                  boolean             not null default(false),
+    created_at                datetime            not null default(strftime('%Y-%m-%d %H:%M:%f', 'now')),
+    updated_at                datetime            not null default(strftime('%Y-%m-%d %H:%M:%f', 'now')), deleted boolean not null default(false),
+
+    constraint chk_z_id check (z_id <> ''),
+    constraint chk_token check (token <> ''),
+    constraint chk_share_mode check (share_mode == 'public' or share_mode == 'private'),
+    constraint chk_backend_mode check (backend_mode == 'proxy' or backend_mode == 'web' or backend_mode == 'tcpTunnel' or backend_mode == 'udpTunnel' or backend_mode == 'caddy')
+);
+insert into shares select * from shares_old;
+drop table shares_old;
+
+alter table frontends rename to frontends_old;
+create table frontends (
+   id                    integer             primary key,
+   environment_id        integer             references environments(id),
+   token                 varchar(32)         not null unique,
+   z_id                  varchar(32)         not null,
+   public_name           varchar(64)         unique,
+   url_template          varchar(1024),
+   reserved              boolean             not null default(false),
+   created_at            datetime            not null default(strftime('%Y-%m-%d %H:%M:%f', 'now')),
+   updated_at            datetime            not null default(strftime('%Y-%m-%d %H:%M:%f', 'now')),
+   deleted               boolean             not null default(false),
+   private_share_id      integer             references shares(id)
+);
+insert into frontends select * from frontends_old;
+drop table frontends_old;
+
+alter table share_limit_journal rename to share_limit_journal_old;
+create table share_limit_journal (
+    id                  integer                 primary key,
+    share_id            integer                 references shares(id),
+    rx_bytes            bigint                  not null,
+    tx_bytes            bigint                  not null,
+    action              limit_action_type       not null,
+    created_at          datetime                not null default(strftime('%Y-%m-%d %H:%M:%f', 'now')),
+    updated_at          datetime                not null default(strftime('%Y-%m-%d %H:%M:%f', 'now'))
+);
+insert into share_limit_journal select * from share_limit_journal_old;
+drop table share_limit_journal_old;
--- a/endpoints/caddyListener.go
+++ b/endpoints/caddyListener.go
@ -0,0 +1,80 @@
+package endpoints
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"github.com/caddyserver/caddy/v2"
+	_ "github.com/caddyserver/caddy/v2/modules/standard"
+	"github.com/openziti/sdk-golang/ziti"
+	"github.com/openziti/sdk-golang/ziti/edge"
+	"github.com/openziti/zrok/environment"
+	"net"
+	"strings"
+)
+
+func init() {
+	caddy.RegisterNetwork("zrok", NewZrokListener)
+}
+
+type ZrokListener struct {
+	zctx  ziti.Context
+	share string
+	l     edge.Listener
+}
+
+func (l *ZrokListener) String() string {
+	return fmt.Sprintf("zrok/%s", l.share)
+}
+
+func (l *ZrokListener) Network() string {
+	return "zrok"
+}
+
+func (l *ZrokListener) Accept() (net.Conn, error) {
+	return l.l.Accept()
+}
+
+func (l *ZrokListener) Close() error {
+	_ = l.l.Close()
+	l.zctx.Close()
+	return nil
+}
+
+func (l *ZrokListener) Addr() net.Addr {
+	return l
+}
+
+func NewZrokListener(_ context.Context, _ string, addr string, _ net.ListenConfig) (any, error) {
+	shrToken := strings.Split(addr, ":")[0]
+	env, err := environment.LoadRoot()
+	if err != nil {
+		return nil, err
+	}
+	if !env.IsEnabled() {
+		return nil, errors.New("environment not enabled")
+	}
+	zif, err := env.ZitiIdentityNamed(env.EnvironmentIdentityName())
+	if err != nil {
+		return nil, err
+	}
+	zctx, err := ziti.NewContextFromFile(zif)
+	if err != nil {
+		return nil, err
+	}
+	conn, err := zctx.Listen(shrToken)
+	if err != nil {
+		return nil, err
+	}
+	l := &ZrokListener{
+		zctx:  zctx,
+		share: shrToken,
+		l:     conn,
+	}
+	return l, nil
+}
+
+var (
+	_ net.Addr     = (*ZrokListener)(nil)
+	_ net.Listener = (*ZrokListener)(nil)
+)
--- a/endpoints/proxy/backend.go
+++ b/endpoints/proxy/backend.go
@ -20,7 +20,7 @@ type BackendConfig struct {
 	EndpointAddress string
 	ShrToken        string
 	Insecure        bool
-	RequestsChan    chan *endpoints.Request
+	Requests        chan *endpoints.Request
 }

 type Backend struct {
@ -88,8 +88,8 @@ func newReverseProxy(cfg *BackendConfig) (*httputil.ReverseProxy, error) {
 	proxy.Transport = tpt
 	director := proxy.Director
 	proxy.Director = func(req *http.Request) {
-		if cfg.RequestsChan != nil {
-			cfg.RequestsChan <- &endpoints.Request{
+		if cfg.Requests != nil {
+			cfg.Requests <- &endpoints.Request{
 				Stamp:      time.Now(),
 				RemoteAddr: fmt.Sprintf("%v", req.Header["X-Real-Ip"]),
 				Method:     req.Method,
--- a/endpoints/proxy/browse.html
+++ b/endpoints/proxy/browse.html
--- a/endpoints/proxy/caddyLogger.go
+++ b/endpoints/proxy/caddyLogger.go
@ -0,0 +1,52 @@
+package proxy
+
+import (
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
+	"io"
+)
+
+func init() {
+	caddy.RegisterModule(CaddyLogWriter{})
+}
+
+func SetCaddyLoggingWriter(w io.WriteCloser) {
+	loggingRequests = w
+}
+
+var loggingRequests io.WriteCloser
+
+type CaddyLogWriter struct{}
+
+func (CaddyLogWriter) CaddyModule() caddy.ModuleInfo {
+	return caddy.ModuleInfo{
+		ID:  "caddy.logging.writers.zrok_tui",
+		New: func() caddy.Module { return new(CaddyLogWriter) },
+	}
+}
+
+func (w *CaddyLogWriter) Provision(_ caddy.Context) error {
+	return nil
+}
+
+func (CaddyLogWriter) String() string {
+	return ""
+}
+
+func (CaddyLogWriter) WriterKey() string {
+	return "zrok_tui"
+}
+
+func (CaddyLogWriter) OpenWriter() (io.WriteCloser, error) {
+	return loggingRequests, nil
+}
+
+func (*CaddyLogWriter) UnmarshalCaddyfile(_ *caddyfile.Dispenser) error {
+	return nil
+}
+
+var (
+	_ caddy.Provisioner     = (*CaddyLogWriter)(nil)
+	_ caddy.WriterOpener    = (*CaddyLogWriter)(nil)
+	_ caddyfile.Unmarshaler = (*CaddyLogWriter)(nil)
+)
--- a/endpoints/proxy/caddyRequestsMiddleware.go
+++ b/endpoints/proxy/caddyRequestsMiddleware.go
@ -0,0 +1,73 @@
+package proxy
+
+import (
+	"fmt"
+	"github.com/openziti/zrok/endpoints"
+	"net/http"
+	"time"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
+	"github.com/caddyserver/caddy/v2/caddyconfig/httpcaddyfile"
+	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
+)
+
+var middlewareRequests chan *endpoints.Request
+
+func init() {
+	caddy.RegisterModule(ZrokRequestsMiddleware{})
+	httpcaddyfile.RegisterHandlerDirective("zrok_requests", parseCaddyfile)
+}
+
+type ZrokRequestsMiddleware struct{}
+
+// CaddyModule returns the Caddy module information.
+func (ZrokRequestsMiddleware) CaddyModule() caddy.ModuleInfo {
+	return caddy.ModuleInfo{
+		ID:  "http.handlers.zrok_requests",
+		New: func() caddy.Module { return new(ZrokRequestsMiddleware) },
+	}
+}
+
+// Provision implements caddy.Provisioner.
+func (m *ZrokRequestsMiddleware) Provision(ctx caddy.Context) error {
+	return nil
+}
+
+// Validate implements caddy.Validator.
+func (m ZrokRequestsMiddleware) Validate() error {
+	return nil
+}
+
+// ServeHTTP implements caddyhttp.MiddlewareHandler.
+func (m ZrokRequestsMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error {
+	if middlewareRequests != nil {
+		middlewareRequests <- &endpoints.Request{
+			Stamp:      time.Now(),
+			RemoteAddr: fmt.Sprintf("%v", r.Header["X-Real-Ip"]),
+			Method:     r.Method,
+			Path:       r.URL.String(),
+		}
+	}
+	return next.ServeHTTP(w, r)
+}
+
+// UnmarshalCaddyfile implements caddyfile.Unmarshaler.
+func (m *ZrokRequestsMiddleware) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	return nil
+}
+
+// parseCaddyfile unmarshals tokens from h into a new ZrokRequestsMiddleware.
+func parseCaddyfile(h httpcaddyfile.Helper) (caddyhttp.MiddlewareHandler, error) {
+	var m ZrokRequestsMiddleware
+	err := m.UnmarshalCaddyfile(h.Dispenser)
+	return m, err
+}
+
+// Interface guards
+var (
+	_ caddy.Provisioner           = (*ZrokRequestsMiddleware)(nil)
+	_ caddy.Validator             = (*ZrokRequestsMiddleware)(nil)
+	_ caddyhttp.MiddlewareHandler = (*ZrokRequestsMiddleware)(nil)
+	_ caddyfile.Unmarshaler       = (*ZrokRequestsMiddleware)(nil)
+)
--- a/endpoints/proxy/caddyWebBackend.go
+++ b/endpoints/proxy/caddyWebBackend.go
@ -0,0 +1,86 @@
+package proxy
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig"
+	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
+	"github.com/caddyserver/caddy/v2/modules/caddyhttp/fileserver"
+	"github.com/openziti/zrok/endpoints"
+	"go.uber.org/zap"
+	"time"
+)
+
+type CaddyWebBackendConfig struct {
+	IdentityPath string
+	WebRoot      string
+	ShrToken     string
+	Requests     chan *endpoints.Request
+}
+
+type CaddyWebBackend struct {
+	cfg      *CaddyWebBackendConfig
+	caddyCfg *caddy.Config
+}
+
+func NewCaddyWebBackend(cfg *CaddyWebBackendConfig) (*CaddyWebBackend, error) {
+	handler := fileserver.FileServer{Root: cfg.WebRoot}
+	handler.Browse = new(fileserver.Browse)
+
+	var handlers []json.RawMessage
+	middlewareRequests = cfg.Requests
+	handlers = append(handlers, caddyconfig.JSONModuleObject(&ZrokRequestsMiddleware{}, "handler", "zrok_requests", nil))
+	handlers = append(handlers, caddyconfig.JSONModuleObject(handler, "handler", "file_server", nil))
+
+	route := caddyhttp.Route{HandlersRaw: handlers}
+
+	server := &caddyhttp.Server{
+		ReadHeaderTimeout: caddy.Duration(10 * time.Second),
+		IdleTimeout:       caddy.Duration(30 * time.Second),
+		MaxHeaderBytes:    1024 * 10,
+		Routes:            caddyhttp.RouteList{route},
+	}
+	server.Listen = []string{fmt.Sprintf("zrok/%s", cfg.ShrToken)}
+
+	httpApp := caddyhttp.App{
+		Servers: map[string]*caddyhttp.Server{"static": server},
+	}
+
+	var false bool
+	caddyCfg := &caddy.Config{
+		Admin: &caddy.AdminConfig{
+			Disabled: true,
+			Config: &caddy.ConfigSettings{
+				Persist: &false,
+			},
+		},
+		AppsRaw: caddy.ModuleMap{
+			"http": caddyconfig.JSON(httpApp, nil),
+		},
+		Logging: &caddy.Logging{
+			Logs: map[string]*caddy.CustomLog{
+				"default": {
+					BaseLog: caddy.BaseLog{
+						Level: zap.ErrorLevel.CapitalString(),
+					},
+				},
+			},
+		},
+	}
+	if loggingRequests != nil {
+		caddyLog := caddyCfg.Logging.Logs["default"]
+		caddyLog.WriterRaw = caddyconfig.JSONModuleObject(&CaddyLogWriter{}, "output", "zrok_tui", nil)
+		caddyCfg.Logging.Logs["default"] = caddyLog
+	}
+
+	return &CaddyWebBackend{cfg: cfg, caddyCfg: caddyCfg}, nil
+}
+
+func (c *CaddyWebBackend) Run() error {
+	return caddy.Run(c.caddyCfg)
+}
+
+func (c *CaddyWebBackend) Requests() func() int32 {
+	return func() int32 { return 0 }
+}
--- a/endpoints/proxy/caddyfileBackend.go
+++ b/endpoints/proxy/caddyfileBackend.go
@ -0,0 +1,81 @@
+package proxy
+
+import (
+	_ "embed"
+	"fmt"
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
+	"github.com/caddyserver/caddy/v2/caddyconfig/httpcaddyfile"
+	"github.com/caddyserver/caddy/v2/modules/caddyhttp/fileserver"
+	"github.com/openziti/zrok/endpoints"
+	"github.com/openziti/zrok/sdk"
+	"github.com/sirupsen/logrus"
+	"os"
+	"strings"
+	"text/template"
+)
+
+//go:embed browse.html
+var browseHtml string
+
+func init() {
+	fileserver.BrowseTemplate = browseHtml
+}
+
+type CaddyfileBackendConfig struct {
+	CaddyfilePath string
+	Shr           *sdk.Share
+	Requests      chan *endpoints.Request
+}
+
+type CaddyfileBackend struct {
+	cfg []byte
+}
+
+func NewCaddyfileBackend(cfg *CaddyfileBackendConfig) (*CaddyfileBackend, error) {
+	cdyf, err := preprocessCaddyfile(cfg.CaddyfilePath, cfg.Shr)
+	if err != nil {
+		return nil, err
+	}
+	var adapter caddyfile.Adapter
+	adapter.ServerType = httpcaddyfile.ServerType{}
+	caddyCfg, warnings, err := adapter.Adapt([]byte(cdyf), map[string]interface{}{"filename": cfg.CaddyfilePath})
+	if err != nil {
+		return nil, err
+	}
+	for _, warning := range warnings {
+		logrus.Warnf("%v [%d] (%v): %v", cfg.CaddyfilePath, warning.Line, warning.Directive, warning.Message)
+	}
+	return &CaddyfileBackend{cfg: caddyCfg}, nil
+}
+
+func (b *CaddyfileBackend) Run() error {
+	if err := caddy.Load(b.cfg, true); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (b *CaddyfileBackend) Requests() func() int32 {
+	return nil
+}
+
+func preprocessCaddyfile(inF string, shr *sdk.Share) (string, error) {
+	input, err := os.ReadFile(inF)
+	if err != nil {
+		return "", err
+	}
+	tmpl, err := template.New(inF).Parse(string(input))
+	if err != nil {
+		return "", err
+	}
+	output := new(strings.Builder)
+	if err := tmpl.Execute(output, &caddyfileData{ZrokBindAddress: fmt.Sprintf("zrok/%s", shr.Token)}); err != nil {
+		return "", err
+	}
+	return output.String(), nil
+}
+
+type caddyfileData struct {
+	ZrokBindAddress string
+}
--- a/endpoints/proxy/webBackend.go
+++ b/endpoints/proxy/webBackend.go
@ -1,82 +0,0 @@
-package proxy
-
-import (
-	"fmt"
-	"github.com/openziti/sdk-golang/ziti"
-	"github.com/openziti/sdk-golang/ziti/edge"
-	"github.com/openziti/zrok/endpoints"
-	"github.com/pkg/errors"
-	"net/http"
-	"time"
-)
-
-type WebBackendConfig struct {
-	IdentityPath string
-	WebRoot      string
-	ShrToken     string
-	RequestsChan chan *endpoints.Request
-}
-
-type WebBackend struct {
-	cfg      *WebBackendConfig
-	listener edge.Listener
-	handler  http.Handler
-}
-
-func NewWebBackend(cfg *WebBackendConfig) (*WebBackend, error) {
-	options := ziti.ListenOptions{
-		ConnectTimeout: 5 * time.Minute,
-		MaxConnections: 64,
-	}
-	zcfg, err := ziti.NewConfigFromFile(cfg.IdentityPath)
-	if err != nil {
-		return nil, errors.Wrap(err, "error loading config")
-	}
-	zctx, err := ziti.NewContext(zcfg)
-	if err != nil {
-		return nil, errors.Wrap(err, "error loading ziti context")
-	}
-	listener, err := zctx.ListenWithOptions(cfg.ShrToken, &options)
-	if err != nil {
-		return nil, errors.Wrap(err, "error listening")
-	}
-
-	be := &WebBackend{
-		cfg:      cfg,
-		listener: listener,
-	}
-	if cfg.RequestsChan != nil {
-		be.handler = &requestGrabber{requests: cfg.RequestsChan, handler: http.FileServer(http.Dir(cfg.WebRoot))}
-	} else {
-		be.handler = http.FileServer(http.Dir(cfg.WebRoot))
-	}
-	return be, nil
-}
-
-func (self *WebBackend) Run() error {
-	if err := http.Serve(self.listener, self.handler); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (self *WebBackend) Requests() func() int32 {
-	return func() int32 { return 0 }
-}
-
-type requestGrabber struct {
-	requests chan *endpoints.Request
-	handler  http.Handler
-}
-
-func (rl *requestGrabber) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
-	if rl.requests != nil {
-		rl.requests <- &endpoints.Request{
-			Stamp:      time.Now(),
-			RemoteAddr: fmt.Sprintf("%v", req.Header["X-Real-Ip"]),
-			Method:     req.Method,
-			Path:       req.URL.String(),
-		}
-	}
-	rl.handler.ServeHTTP(resp, req)
-}
--- a/etc/caddy/multiple_upstream.Caddyfile
+++ b/etc/caddy/multiple_upstream.Caddyfile
@ -0,0 +1,7 @@
+http:// {
+	bind {{ .ZrokBindAddress }}
+	reverse_proxy /zrok/* https://zrok.io
+	reverse_proxy /* 127.0.0.1:3000 {
+		header_up Host localhost:3000
+	}
+}
--- a/etc/caddy/simple_reverse_proxy.Caddyfile
+++ b/etc/caddy/simple_reverse_proxy.Caddyfile
@ -0,0 +1,4 @@
+http:// {
+	bind {{ .ZrokBindAddress }}
+	reverse_proxy 127.0.0.1:3000
+}
--- a/go.mod
+++ b/go.mod
@ -3,6 +3,7 @@ module github.com/openziti/zrok
 go 1.20

 require (
+	github.com/caddyserver/caddy/v2 v2.7.5-0.20230829153420-ed8bb13c5df7
 	github.com/charmbracelet/bubbles v0.14.0
 	github.com/charmbracelet/bubbletea v0.23.1
 	github.com/charmbracelet/lipgloss v0.6.0
@ -20,8 +21,8 @@ require (
 	github.com/jedib0t/go-pretty/v6 v6.4.3
 	github.com/jessevdk/go-flags v1.5.0
 	github.com/jmoiron/sqlx v1.3.5
-	github.com/lib/pq v1.10.0
-	github.com/mattn/go-sqlite3 v1.14.14
+	github.com/lib/pq v1.10.2
+	github.com/mattn/go-sqlite3 v1.14.15
 	github.com/michaelquigley/cf v0.0.13
 	github.com/michaelquigley/pfxlog v0.6.10
 	github.com/muesli/reflow v0.3.0
@ -40,6 +41,7 @@ require (
 	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.4
 	github.com/wneessen/go-mail v0.2.7
+	go.uber.org/zap v1.25.0
 	golang.org/x/crypto v0.12.0
 	golang.org/x/net v0.14.0
 	golang.org/x/time v0.3.0
@ -47,52 +49,109 @@ require (
 )

 require (
+	filippo.io/edwards25519 v1.0.0 // indirect
+	github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect
+	github.com/BurntSushi/toml v1.3.2 // indirect
 	github.com/Jeffail/gabs v1.4.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.2.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
+	github.com/Microsoft/go-winio v0.6.0 // indirect
+	github.com/alecthomas/chroma/v2 v2.7.0 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20211106181442-e4c1a74c66bd // indirect
+	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
+	github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52 v1.0.3 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/biogo/store v0.0.0-20200525035639-8c94ae1e7c9c // indirect
+	github.com/caddyserver/certmagic v0.19.2 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
+	github.com/cespare/xxhash v1.1.0 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/chzyer/readline v1.5.1 // indirect
 	github.com/containerd/console v1.0.3 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/deepmap/oapi-codegen v1.8.2 // indirect
+	github.com/dgraph-io/badger v1.6.2 // indirect
+	github.com/dgraph-io/badger/v2 v2.2007.4 // indirect
+	github.com/dgraph-io/ristretto v0.1.0 // indirect
+	github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
+	github.com/dlclark/regexp2 v1.7.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa // indirect
+	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
+	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-gorp/gorp/v3 v3.0.2 // indirect
+	github.com/go-kit/kit v0.10.0 // indirect
+	github.com/go-logfmt/logfmt v0.5.1 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/go-openapi/analysis v0.21.4 // indirect
 	github.com/go-openapi/jsonpointer v0.20.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
+	github.com/go-sql-driver/mysql v1.7.0 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
+	github.com/golang/glog v1.1.0 // indirect
+	github.com/golang/mock v1.6.0 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/cel-go v0.15.1 // indirect
+	github.com/google/certificate-transparency-go v1.1.4 // indirect
+	github.com/google/go-tpm v0.3.3 // indirect
+	github.com/google/go-tspi v0.3.0 // indirect
+	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect
+	github.com/huandu/xstrings v1.3.3 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839 // indirect
+	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
+	github.com/jackc/pgconn v1.14.0 // indirect
+	github.com/jackc/pgio v1.0.0 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgproto3/v2 v2.3.2 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
+	github.com/jackc/pgtype v1.14.0 // indirect
+	github.com/jackc/pgx/v4 v4.18.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/kataras/go-events v0.0.3 // indirect
-	github.com/klauspost/compress v1.13.6 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
+	github.com/klauspost/compress v1.16.7 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
+	github.com/libdns/libdns v0.2.1 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20230326075908-cb1d2100619a // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/manifoldco/promptui v0.9.0 // indirect
+	github.com/mastercactapus/proxyprotocol v0.0.4 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.18 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
+	github.com/mholt/acmez v1.2.0 // indirect
+	github.com/micromdm/scep/v2 v2.1.0 // indirect
+	github.com/miekg/dns v1.1.55 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/muesli/ansi v0.0.0-20211018074035-2e021307bc4b // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.13.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/openziti/foundation/v2 v2.0.29 // indirect
 	github.com/openziti/metrics v1.2.31 // indirect
@ -102,26 +161,75 @@ require (
 	github.com/parallaxsecond/parsec-client-go v0.0.0-20221025095442-f0a77d263cf9 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b // indirect
+	github.com/prometheus/client_golang v1.14.0 // indirect
+	github.com/prometheus/client_model v0.3.0 // indirect
+	github.com/prometheus/common v0.37.0 // indirect
+	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/quic-go/qpack v0.4.0 // indirect
+	github.com/quic-go/qtls-go1-20 v0.3.2 // indirect
+	github.com/quic-go/quic-go v0.38.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/rs/xid v1.5.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
+	github.com/shopspring/decimal v1.2.0 // indirect
+	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
+	github.com/slackhq/nebula v1.6.1 // indirect
+	github.com/smallstep/certificates v0.24.3-rc.5 // indirect
+	github.com/smallstep/go-attestation v0.4.4-0.20230509120429-e17291421738 // indirect
+	github.com/smallstep/nosql v0.6.0 // indirect
+	github.com/smallstep/truststore v0.12.1 // indirect
 	github.com/speps/go-hashids v2.0.0+incompatible // indirect
+	github.com/spf13/cast v1.4.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stoewer/go-strcase v1.2.0 // indirect
+	github.com/tailscale/tscert v0.0.0-20230509043813-4e9cb4f2b4ad // indirect
 	github.com/tklauser/go-sysconf v0.3.11 // indirect
 	github.com/tklauser/numcpus v0.6.0 // indirect
+	github.com/urfave/cli v1.22.14 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/yuin/goldmark v1.5.5 // indirect
+	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc // indirect
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
+	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.etcd.io/bbolt v1.3.7 // indirect
 	go.mongodb.org/mongo-driver v1.12.1 // indirect
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.42.0 // indirect
+	go.opentelemetry.io/contrib/propagators/autoprop v0.42.0 // indirect
+	go.opentelemetry.io/contrib/propagators/aws v1.17.0 // indirect
+	go.opentelemetry.io/contrib/propagators/b3 v1.17.0 // indirect
+	go.opentelemetry.io/contrib/propagators/jaeger v1.17.0 // indirect
+	go.opentelemetry.io/contrib/propagators/ot v1.17.0 // indirect
 	go.opentelemetry.io/otel v1.16.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.16.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.16.0 // indirect
 	go.opentelemetry.io/otel/metric v1.16.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.16.0 // indirect
 	go.opentelemetry.io/otel/trace v1.16.0 // indirect
+	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
+	go.step.sm/cli-utils v0.8.0 // indirect
+	go.step.sm/crypto v0.33.0 // indirect
+	go.step.sm/linkedca v0.20.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53 // indirect
+	golang.org/x/mod v0.11.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
 	golang.org/x/sys v0.11.0 // indirect
 	golang.org/x/term v0.11.0 // indirect
 	golang.org/x/text v0.12.0 // indirect
+	golang.org/x/tools v0.10.0 // indirect
+	google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
+	google.golang.org/grpc v1.56.2 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
+	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	howett.net/plist v1.0.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/rest_model_zrok/share_request.go
+++ b/rest_model_zrok/share_request.go
@ -28,7 +28,7 @@ type ShareRequest struct {
 	AuthUsers []*AuthUser `json:"authUsers"`

 	// backend mode
-	// Enum: [proxy web tcpTunnel udpTunnel]
+	// Enum: [proxy web tcpTunnel udpTunnel caddy]
 	BackendMode string `json:"backendMode,omitempty"`

 	// backend proxy endpoint
@ -100,7 +100,7 @@ var shareRequestTypeBackendModePropEnum []interface{}

 func init() {
 	var res []string
-	if err := json.Unmarshal([]byte(`["proxy","web","tcpTunnel","udpTunnel"]`), &res); err != nil {
+	if err := json.Unmarshal([]byte(`["proxy","web","tcpTunnel","udpTunnel","caddy"]`), &res); err != nil {
 		panic(err)
 	}
 	for _, v := range res {
@ -121,6 +121,9 @@ const (

 	// ShareRequestBackendModeUDPTunnel captures enum value "udpTunnel"
 	ShareRequestBackendModeUDPTunnel string = "udpTunnel"
+
+	// ShareRequestBackendModeCaddy captures enum value "caddy"
+	ShareRequestBackendModeCaddy string = "caddy"
 )

 // prop value enum
--- a/rest_server_zrok/embedded_spec.go
+++ b/rest_server_zrok/embedded_spec.go
@ -1468,7 +1468,8 @@ func init() {
            "proxy",
            "web",
            "tcpTunnel",
-            "udpTunnel"
+            "udpTunnel",
+            "caddy"
          ]
        },
        "backendProxyEndpoint": {
@ -3064,7 +3065,8 @@ func init() {
            "proxy",
            "web",
            "tcpTunnel",
-            "udpTunnel"
+            "udpTunnel",
+            "caddy"
          ]
        },
        "backendProxyEndpoint": {
--- a/sdk/model.go
+++ b/sdk/model.go
@ -7,6 +7,7 @@ const (
 	WebBackendMode       BackendMode = "web"
 	TcpTunnelBackendMode BackendMode = "tcpTunnel"
 	UdpTunnelBackendMode BackendMode = "udpTunnel"
+	CaddyBackendMode     BackendMode = "caddy"
 )

 type ShareMode string
@ -26,6 +27,7 @@ type ShareRequest struct {

 type Share struct {
 	Token             string
+	FrontendEndpoints []string
 }

 type AccessRequest struct {
--- a/sdk/share.go
+++ b/sdk/share.go
@ -49,7 +49,10 @@ func CreateShare(root env_core.Root, request *ShareRequest) (*Share, error) {
 		return nil, errors.Wrap(err, "unable to create share")
 	}

-	return &Share{Token: in.Payload.ShrToken}, nil
+	return &Share{
+		Token:             in.Payload.ShrToken,
+		FrontendEndpoints: in.Payload.FrontendProxyEndpoints,
+	}, nil
 }

 func newPrivateShare(root env_core.Root, request *ShareRequest) *share.ShareParams {
--- a/specs/zrok.yml
+++ b/specs/zrok.yml
@ -969,7 +969,7 @@ definitions:
          type: string
      backendMode:
        type: string
-        enum: ["proxy", "web", "tcpTunnel", "udpTunnel"]
+        enum: ["proxy", "web", "tcpTunnel", "udpTunnel", "caddy"]
      backendProxyEndpoint:
        type: string
      authScheme: