Kevin Froman's blog

Blog on security, programming, & other musings

Using Caddy To Create a Secure Socket Server



Telnet wasn't all bad. Simple socket servers are handy for debugging or remote access purposes, but sadly telnet is insecure, having no encryption. SSH is a viable alternative, but it is a little bloated and is different on various platforms.

So what to do?

Use Caddy!

Caddy is a small but powerful server written in Go. It works by chaining 'middlewares' (plugins). It is mainly a web server, but it can also serve basic TCP using the 'net' plugin.

In this short guide, I will explain how to setup a basic secure socket server using Caddy. The server works on Linux but any OS with openssl can connect.

Setup the server


For the server you will need:


The 'caddyfile' just has these 4 lines:

proxy :1337 :1338 {

'tls' can also be 'tls self_signed' for testing purposes or to not rely on a certificate authority (even SSH does not rely on a CA by default)

Start Caddy by doing $ ./caddy -conf='caddyfile' -type='net'

Python Script

Our Python server script will require 0 net code. Simple I/O example:

print('Hello World!')
print('Enter your name:')
user = input(">")
print("Nice to meet you \"" + user + "\"")


Caddy will be a tls proxy to our simple tcpserver (part of ucspi-tcp) which will serve our Python script.

Run tcpserver by doing $ tcpserver 1338 ./

Connect to the server

Any client with openssl (or similar) can connect. For openssl, do $ openssl s_client -connect

-quiet can be specified to reduce openssl information output.


Caddy + tcpserver is a good telnet replacement for when one just wants to provide a standard i/o program over a secure network connection without ssh.

Netcat can be used instead of tcpserver, but netcat only supports 1 connection at a time.

This setup is more secure than telnet, but there is likely to be some issues such as in openssl, Caddy, or tcpserver. Security sensitive scripts should be secured with some type of authentication.

Written by anonymous