For this guide, you will need [Caddy 2](https://caddyserver.com/), there are no other dependencies. Caddy manages Let's Encrypt certificates and their renewal.
Caddy is in the most popular package managers, or you can get a static binary. For all the latest installation guides, refer to [their manual](https://caddyserver.com/docs/install).
If the reverse proxy will be running on the same machine, set the `bind-address` to `"localhost"` so that the GoToSocial server is only accessible via loopback. Otherwise, it may be possible to bypass your proxy by connecting to GoToSocial directly, which might be undesirable.
We will configure Caddy 2 to use GoToSocial on our main domain example.org. Since Caddy takes care of obtaining the Let's Encrypt certificate, we only need to configure it properly once.
In most simple use cases Caddy defaults to a file called Caddyfile. It can reload on changes, or can be configured through an HTTP API for zero downtime, but this is out of our current scope.
```bash
sudo mkdir -p /etc/caddy
sudo vim /etc/caddy/Caddyfile
```
While editing the file above, you should replace 'example.org' with your domain. Your domain should occur twice in the current configuration. If you have chosen another port number for GoToSocial other than port 8080, change the port number on the reverse proxy line to match that.
The file you're about to create should look like this:
By default, caddy sets `X-Forwarded-For` in forwarded requests. To make this and rate-limiting work, set the `trusted-proxies` configuration variable. See the [rate limiting](../../api/ratelimiting.md) and [general configuration](../../configuration/general.md) docs
For advanced configuration, check the [reverse_proxy directive](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy) at the Caddy documentation.