diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 28c0478..a915884 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -2,10 +2,6 @@ name: CI
 
 on: [push, pull_request]
 
-env:
-  DEBOOTSTRAP_SUITE: buster
-  DEBOOTSTRAP_DATE: 2020-08-01
-
 jobs:
   test:
     # The type of runner that the job will run on
@@ -15,6 +11,8 @@ jobs:
     steps:
       - name: Checks-out repository
         uses: actions/checkout@v2
+        with:
+          submodules: true
 
       - name: Enable cache
         uses: actions/cache@v2.1.1
@@ -31,7 +29,7 @@ jobs:
         run: |
           mkdir -p "$GITHUB_WORKSPACE/cache/apt"
           chmod a+rwx "$GITHUB_WORKSPACE/cache/apt"
-          docker run -d --name aptcache --read-only --cap-drop=ALL --volume $GITHUB_WORKSPACE/cache/apt:/data --expose 3142 dubodubonduponey/aptutil
+          docker run -d --name aptcache --read-only --cap-drop=ALL --volume $GITHUB_WORKSPACE/cache/apt:/data --expose 3142 dubodubonduponey/aptutil:buster-2020-08-01
 
       - name: Install multi-arch buildx environment
         run: |
diff --git a/.travis.yml b/.travis.yml
index c557d14..316a748 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -27,7 +27,7 @@ before_install:
   - docker run --rm --privileged docker/binfmt:a7996909642ee92942dcd6cff44b9b95f08dad64
 
 install:
-  - curl -sL -o hadolint "https://github.com/hadolint/hadolint/releases/download/v1.16.0/hadolint-$(uname -s)-$(uname -m)"
+  - curl -sL -o hadolint "https://github.com/hadolint/hadolint/releases/download/v1.18.0/hadolint-$(uname -s)-$(uname -m)"
     && chmod 700 ./hadolint
 
 script:
@@ -36,8 +36,4 @@ script:
 matrix:
   include:
     - os: linux
-      dist: bionic
-      env:
-        - DEBOOTSTRAP_SUITE=buster
-        - DEBOOTSTRAP_DATE=2020-08-01
-        - TEST_DOES_NOT_BUILD=
+      dist: focal
diff --git a/Dockerfile b/Dockerfile
index 0278d08..bb1e083 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -56,6 +56,23 @@ RUN           env GOOS=linux GOARCH="$(printf "%s" "$TARGETPLATFORM" | sed -E 's
 COPY          --from=builder-healthcheck /dist/boot/bin /dist/boot/bin
 RUN           chmod 555 /dist/boot/bin/*
 
+#######################
+# Caddy
+#######################
+# hadolint ignore=DL3006
+FROM          --platform=$BUILDPLATFORM $BUILDER_BASE                                                                   AS builder-caddy
+
+# This is 2.1.1+ with golang 1.15 support (08/21/2020)
+ARG           GIT_REPO=github.com/caddyserver/caddy
+ARG           GIT_VERSION=0279a57ac465b2920abf71d86203d9feac2015b5
+
+WORKDIR       $GOPATH/src/$GIT_REPO
+RUN           git clone https://$GIT_REPO .
+RUN           git checkout $GIT_VERSION
+
+# hadolint ignore=DL4006
+RUN           env GOOS=linux GOARCH="$(printf "%s" "$TARGETPLATFORM" | sed -E 's/^[^/]+\/([^/]+).*/\1/')" go build -v -ldflags "-s -w" \
+                -o /dist/boot/bin/caddy ./cmd/caddy
 
 #######################
 # Builder assembly
@@ -65,6 +82,7 @@ FROM          $BUILDER_BASE
 
 COPY          --from=builder-healthcheck /dist/boot/bin /dist/boot/bin
 COPY          --from=builder-cacher /dist/boot/bin /dist/boot/bin
+COPY          --from=builder-caddy /dist/boot/bin /dist/boot/bin
 
 RUN           chmod 555 /dist/boot/bin/*; \
               epoch="$(date --date "$BUILD_CREATED" +%s)"; \
@@ -78,12 +96,17 @@ FROM          $RUNTIME_BASE
 
 COPY          --from=builder --chown=$BUILD_UID:root /dist .
 
-EXPOSE        3142/tcp
+EXPOSE        8080/tcp
 
 VOLUME        /data
 
+ENV           USERNAME=dubo-dubon-duponey
+ENV           PASSWORD=base64_bcrypt_encoded_use_caddy_hash_password_to_generate
+ENV           REALM="My precious"
+ENV           LOG_LEVEL=info
+ENV           PORT=8080
+
 # System constants, unlikely to ever require modifications in normal use
 ENV           HEALTHCHECK_URL="http://127.0.0.1:3142/archive?healthcheck=internal"
-ENV           PORT=3142
 
 HEALTHCHECK   --interval=30s --timeout=30s --start-period=10s --retries=1 CMD http-health || exit 1
diff --git a/build.sh b/build.sh
index 003c72d..257ad5f 100755
--- a/build.sh
+++ b/build.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 
-export DEBOOTSTRAP_DATE="${DEBOOTSTRAP_DATE:-2020-08-01}"
+export DEBOOTSTRAP_DATE="${DEBOOTSTRAP_DATE:-2020-08-15}"
 
 # For good info on qemu / multi-arch and buildx:
 # https://medium.com/@artur.klauser/building-multi-architecture-docker-images-with-buildx-27d80f7e2408
diff --git a/context/runtime/boot/entrypoint.sh b/context/runtime/boot/entrypoint.sh
index 177bfcb..155a33e 100644
--- a/context/runtime/boot/entrypoint.sh
+++ b/context/runtime/boot/entrypoint.sh
@@ -7,11 +7,13 @@ set -o errexit -o errtrace -o functrace -o nounset -o pipefail
   exit 1
 }
 
-LOG_LEVEL="${LOG_LEVEL:-info}"
-LOG_FORMAT="${LOG_FORMAT:-plain}"
+apt-cacher -f /config/apt-cacher.toml -logfile /dev/stdout -logformat "${APT_LOG_FORMAT:-plain}" -loglevel "${APT_LOG_LEVEL:-error}" &
 
-# Run once configured
-#args=(apt-mirror -f /config/apt-mirror.toml -logfile /dev/stdout -logformat "$LOG_FORMAT" -loglevel "$LOG_LEVEL")
-args=(apt-cacher -f /config/apt-cacher.toml -logfile /dev/stdout -logformat "$LOG_FORMAT" -loglevel "$LOG_LEVEL")
-
-exec "${args[@]}" "$@"
+case "${1:-}" in
+  "hash-password")
+    exec caddy "$@"
+  ;;
+  *)
+    exec caddy run -config /config/caddy/main.conf --adapter caddyfile
+  ;;
+esac
diff --git a/context/runtime/config/apt-cacher.toml b/context/runtime/config/apt-cacher.toml
index 39ba8a9..1e5bacf 100644
--- a/context/runtime/config/apt-cacher.toml
+++ b/context/runtime/config/apt-cacher.toml
@@ -1,6 +1,6 @@
 # listen_address is the listening address of go-apt-cacher.
 # Default is ":3142".
-listen_address = ":3142"
+listen_address = "127.0.0.1:3142"
 
 # Interval to check updates for Release/InRelease files.
 # Default: 600 seconds
@@ -32,7 +32,7 @@ max_conns = 10
 # Details at https://godoc.org/github.com/cybozu-go/well#LogConfig
 [log]
 #filename = "/var/log/go-apt-cacher.log"
-level = "info"
+level = "error"
 format = "plain"
 
 # mapping declares which prefix maps to a Debian repository URL.
diff --git a/context/runtime/config/caddy/main.conf b/context/runtime/config/caddy/main.conf
new file mode 100644
index 0000000..0bfdc74
--- /dev/null
+++ b/context/runtime/config/caddy/main.conf
@@ -0,0 +1,10 @@
+{
+#	{$debug}
+#	default_sni {$SNI}
+	admin   off
+#	local_certs
+	auto_https off
+}
+
+# Import all sites config
+import sites.d/*.conf
diff --git a/context/runtime/config/caddy/sites.d/aptutil.conf b/context/runtime/config/caddy/sites.d/aptutil.conf
new file mode 100644
index 0000000..363f610
--- /dev/null
+++ b/context/runtime/config/caddy/sites.d/aptutil.conf
@@ -0,0 +1,44 @@
+http://:{$PORT} {
+  @proxy {
+    header Proxy-Authorization Basic*
+  }
+
+  @noproxy {
+    not {
+      header Proxy-Authorization Basic*
+    }
+  }
+
+  request_header @proxy Authorization {http.request.header.Proxy-Authorization}
+  request_header @proxy -Proxy-Authorization
+
+  log {
+    output stdout
+    format json
+    level {$LOG_LEVEL}
+  }
+
+  header {
+    X-Xss-Protection "1; mode=block"
+    X-Content-Type-Options "nosniff"
+    X-Frame-Options "DENY"
+    Referrer-Policy "strict-origin-when-cross-origin"
+  }
+
+  reverse_proxy @proxy http://127.0.0.1:{$PORT}
+
+  basicauth @noproxy bcrypt "{$REALM}" {
+    {$USERNAME} {$PASSWORD}
+  }
+
+  reverse_proxy @noproxy http://127.0.0.1:3142 {
+    # active health checking
+    # XXX health does not seem to work /archive?healthcheck=internal
+    health_path     /
+    health_port     3142
+    health_interval 60s
+    health_timeout  5s
+    health_status   200
+    health_status   404
+  }
+}
diff --git a/docker-bake.override.hcl b/docker-bake.override.hcl
index 9dca202..e4dc2af 100644
--- a/docker-bake.override.hcl
+++ b/docker-bake.override.hcl
@@ -7,4 +7,13 @@ target "default" {
   tags = [
     "dubodubonduponey/aptutil",
   ]
+/*  platforms = [
+    "linux/amd64",
+    "linux/arm64",
+    "linux/arm/v7",
+    "linux/arm/v6",
+    "linux/386",
+    "linux/s390x",
+    "linux/ppc64el",
+  ]*/
 }