diff --git a/roles/caddy_socket_proxy/defaults/main.yaml b/roles/caddy_socket_proxy/defaults/main.yaml
new file mode 100644
index 0000000..4371b5b
--- /dev/null
+++ b/roles/caddy_socket_proxy/defaults/main.yaml
@@ -0,0 +1,4 @@
+---
+caddy_socket_proxy_target_container: "{{ caddy_socket_proxy_service_name }}"
+caddy_socket_proxy_container_ip: ""
+caddy_socket_proxy_auto_update: true
diff --git a/roles/caddy_socket_proxy/meta/argument_specs.yaml b/roles/caddy_socket_proxy/meta/argument_specs.yaml
new file mode 100644
index 0000000..5e212b1
--- /dev/null
+++ b/roles/caddy_socket_proxy/meta/argument_specs.yaml
@@ -0,0 +1,30 @@
+---
+argument_specs:
+  main:
+    description: >-
+      Sets up a caddy container and a systemd socket unit, forwarding traffic from it to
+      target container
+    options:
+      caddy_socket_proxy_service_name:
+        description: Name of the caddy service, used for systemd unit and container naming
+        type: str
+        required: true
+      caddy_socket_proxy_target_container:
+        description: Name of the container to forward traffic to
+        type: str
+        required: false
+        default: "{{ caddy_socket_proxy_service_name }}"
+      caddy_socket_proxy_target_http_port:
+        description: Port on the target container to forward traffic to
+        type: int
+        required: true
+      caddy_socket_proxy_container_ip:
+        description: IP address to assign to the caddy container.
+        type: str
+        required: false
+        default: ""
+      caddy_socket_proxy_auto_update:
+        description: Whether to automatically update the caddy container
+        type: bool
+        required: false
+        default: true
diff --git a/roles/caddy_socket_proxy/tasks/main.yaml b/roles/caddy_socket_proxy/tasks/main.yaml
new file mode 100644
index 0000000..575c8c6
--- /dev/null
+++ b/roles/caddy_socket_proxy/tasks/main.yaml
@@ -0,0 +1,45 @@
+---
+- name: Create caddy socket proxy mount directories for {{ caddy_socket_proxy_service_name }}
+  ansible.builtin.file:
+    path: "{{ item.key }}"
+    state: directory
+    mode: "{{ item.value }}"
+  with_dict:
+    "/srv/{{ caddy_socket_proxy_service_name }}-caddy-socket-proxy/": "0755"
+    "/srv/{{ caddy_socket_proxy_service_name }}-caddy-socket-proxy/mounts": "0700"
+    "/srv/{{ caddy_socket_proxy_service_name }}-caddy-socket-proxy/mounts/caddy": "0755"
+
+- name: Configure caddy socket proxy for {{ caddy_socket_proxy_service_name }}
+  ansible.builtin.template:
+    src: Caddyfile.j2
+    dest: "/srv/{{ caddy_socket_proxy_service_name }}-caddy-socket-proxy/mounts/caddy/Caddyfile"
+    mode: "0644"
+  notify: Restart container service {{ caddy_socket_proxy_service_name }}-caddy-socket-proxy
+
+- name: Caddy socket proxy socket for {{ caddy_socket_proxy_service_name }}
+  ansible.builtin.import_role:
+    name: uumas.general.systemd_socket
+  vars:
+    systemd_socket_name: "{{ caddy_socket_proxy_service_name }}-caddy-socket-proxy"
+    systemd_socket_requires:
+      - "{{ caddy_socket_proxy_target_container }}.service"
+
+- name: Caddy container for {{ caddy_socket_proxy_service_name }}
+  ansible.builtin.import_role:
+    name: container
+  vars:
+    container_name: "{{ caddy_socket_proxy_service_name }}-caddy-socket-proxy"
+    container_image: "docker.io/library/caddy:2-alpine"
+    container_mounts:
+      - type: bind
+        source: "/srv/{{ caddy_socket_proxy_service_name }}-caddy-socket-proxy/mounts/caddy"
+        destination: /etc/caddy
+        readonly: true
+    container_networks:
+      - name: "{{ caddy_socket_proxy_service_name }}-caddy-socket-proxy"
+        ip: "{{ caddy_socket_proxy_container_ip }}"
+    container_requires:
+      - "{{ caddy_socket_proxy_service_name }}-caddy-socket-proxy.socket"
+      - "{{ caddy_socket_proxy_target_container }}.service"
+    container_auto_start: false
+    container_auto_update: "{{ caddy_socket_proxy_auto_update }}"
diff --git a/roles/caddy_socket_proxy/templates/Caddyfile.j2 b/roles/caddy_socket_proxy/templates/Caddyfile.j2
new file mode 100644
index 0000000..7988167
--- /dev/null
+++ b/roles/caddy_socket_proxy/templates/Caddyfile.j2
@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+
+{
+	servers {
+		trusted_proxies_unix
+	}
+}
+
+http:// {
+	bind fd/3
+	reverse_proxy {{ caddy_socket_proxy_service_name }}:{{ service_container_http_port }}
+}
diff --git a/roles/service/tasks/main.yaml b/roles/service/tasks/main.yaml
index 7d19cdb..23cd41e 100644
--- a/roles/service/tasks/main.yaml
+++ b/roles/service/tasks/main.yaml
@@ -51,16 +51,16 @@
     container_wants: "{{ _service_container_wants }}"
     container_auto_update: "{{ service_auto_update }}"
 
-- name: Socat for http of {{ service_name }}
+- name: Caddy socket proxy for http of {{ service_name }}
   ansible.builtin.include_role:
-    name: socat
+    name: caddy_socket_proxy
   when: service_container_http_port > 0
   vars:
-    socat_service_name: "{{ service_name }}"
-    socat_target_http_port: "{{ service_container_http_port }}"
-    socat_container_ip: >-
+    caddy_socket_proxy_service_name: "{{ service_name }}"
+    caddy_socket_proxy_target_http_port: "{{ service_container_http_port }}"
+    caddy_socket_proxy_container_ip: >-
       {{ service_container_ip | ansible.utils.ipmath(257) if _service_static_ip else '' }}
-    socat_auto_update: "{{ service_auto_update }}"
+    caddy_socket_proxy_auto_update: "{{ service_auto_update }}"
 
 - name: Socat for socket published ports of {{ service_name }}
   ansible.builtin.include_role:
diff --git a/roles/service/vars/main/general.yaml b/roles/service/vars/main/general.yaml
index 56785e7..4843d38 100644
--- a/roles/service/vars/main/general.yaml
+++ b/roles/service/vars/main/general.yaml
@@ -7,7 +7,7 @@ _service_container_networks: >-
     }]
     + (
         [{
-          'name': service_name ~ '-socat',
+          'name': service_name ~ '-caddy-socket-proxy',
           'ip': service_container_ip | ansible.utils.ipmath(256) if _service_static_ip else ''
         }] if service_container_http_port > 0 else []
       )
@@ -33,7 +33,7 @@ _service_container_requires: >-
 _service_container_wants: >-
   {{
     service_wants
-    + ([service_name + '-socat.socket'] if service_container_http_port > 0 else [])
+    + ([service_name + '-caddy-socket-proxy.socket'] if service_container_http_port > 0 else [])
     + ([service_name + '-oauth2-proxy.socket'] if _service_oauth2_proxy else [])
     + _service_container_publish_socket_ports
         | map(attribute='name')
diff --git a/roles/service/vars/main/proxy.yaml b/roles/service/vars/main/proxy.yaml
index 8b07946..bdf9c81 100644
--- a/roles/service/vars/main/proxy.yaml
+++ b/roles/service/vars/main/proxy.yaml
@@ -2,7 +2,7 @@
 _service_native_socket: "{{ service_domains | length > 0 and service_container_http_port == 0 }}"
 
 _service_socket_path: >-
-  /run/{{ service_name ~ ('-socat' if not _service_native_socket else '' ) }}.sock
+  /run/{{ service_name ~ ('-caddy-socket-proxy' if not _service_native_socket else '' ) }}.sock
 
 _service_replacement_host_header:
   Host: "{{ service_name }}:{{ service_container_http_port }}"
diff --git a/roles/synapse/tasks/main.yaml b/roles/synapse/tasks/main.yaml
index bdd5cff..4a5ba8b 100644
--- a/roles/synapse/tasks/main.yaml
+++ b/roles/synapse/tasks/main.yaml
@@ -82,7 +82,7 @@
     vhost_domains:
       - "{{ synapse_external_domain }}:8448"
     vhost_proxy_target_netproto: unix
-    vhost_proxy_target_socket: "/run/synapse-socat.sock"
+    vhost_proxy_target_socket: "/run/synapse-caddy-socket-proxy.sock"
 
 - name: Open port for synapse federation
   ansible.posix.firewalld: