Caddy (web server)
“Caddy 2 is a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go
THE ULTIMATE SERVER
Caddy 2 is a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go
Caddy is licensed with the Apache 2.0 open source license.
Fewer moving parts
Caddy simplifies your infrastructure. It takes care of TLS certificate renewals, OCSP stapling, static file serving, reverse proxying, Kubernetes ingress, and more.
Its modular architecture means you can do more with a single, static binary that compiles for any platform.
Caddy runs great in containers because it has no dependencies—not even libc. Run Caddy practically anywhere.
Documentation
Caddy does the work of your WAF, web server, ingress, reverse proxy, TLS terminator, logging, caching, and TLS certificate management.
Best-in-class security Caddy is the only web server to use HTTPS automatically and by default.
Caddy obtains and renews TLS certificates for your sites automatically. It even staples OCSP responses. Its novel certificate management features are the most mature and reliable in its class.
Written in Go, Caddy offers greater memory safety than servers written in C. A hardened TLS stack powered by the Go standard library serves a significant portion of all Internet traffic.
Download
Caddy is the only server to use HTTPS automatically and by default Backed by Ardan Ardan Labs is the trusted partner of the Caddy Web Server open source project, providing enterprise-grade support to our clients.
Together, we consult and train, as well as develop, install, and maintain Caddy and its plugins to ensure your infrastructure runs smoothly and efficiently. Contact us to get started!
Let's talk
Ardan Labs File server and proxy Caddy is both a flexible, efficient static file server and a powerful, scalable reverse proxy.
Use it to serve your static site with compression, template evaluation, Markdown rendering, and more.
Or use it as a dynamic reverse proxy to any number of backends, complete with active and passive health checks, load balancing, circuit breaking, caching, and more.
Download
Caddy is the only server to use HTTPS automatically and by default 1-LINERS These commands are production-ready. When given a domain name, Caddy will use HTTPS by default, which provisions and renews certificates for you.*
- Requires domain's public A/AAAA DNS records pointed at your machine.
Quick, local file server $ caddy file-server Public file server over HTTPS $ caddy file-server –domain example.com HTTPS reverse proxy $ caddy reverse-proxy –from example.com –to localhost:9000 Run server with Caddyfile in working directory (if present) $ caddy run DOWNLOAD CLI DOCS THE CADDYFILE A config file that's human-readable and easy to write by hand. Perfect for most common and manual configurations. Local file server with template evaluation localhost
templates file_server HTTPS reverse proxy with custom load balancing and active health checks example.com # Your site's domain name
- Load balance between three backends with custom health checks
reverse_proxy 10.0.0.1:9000 10.0.0.2:9000 10.0.0.3:9000 {
lb_policy random_choose 2 health_path /ok health_interval 10s
} HTTPS site with clean URLs, reverse proxying, compression, and templates example.com
- Templates give static sites some dynamic features
templates
- Compress responses according to Accept-Encoding headers
encode gzip zstd
- Make HTML file extension optional
try_files {path}.html {path}
- Send API requests to backend
reverse_proxy /api/* localhost:9005
- Serve everything else from the file system
file_server DOWNLOAD CADDYFILE DOCS CONFIG API Caddy is dynamically configurable with a RESTful JSON API. Config updates are graceful, even on Windows.
Using JSON gives you absolute control over the edge of your compute platform, and is perfect for dynamic and automated deployments. Set a new configuration POST /config/
{
"apps": { "http": { "servers": { "example": { "listen": ["127.0.0.1:2080"], "routes": [{ "@id": "demo", "handle": [{ "handler": "file_server", "browse": {} }] }] } } } }} Export current configuration GET /config/ Change only a specific part of the config PUT /id/demo/handle/0
{“handler”: “templates”} All changes made through the API are persisted to disk so they can continue to be used after restarts. DOWNLOAD API DOCS TUTORIAL
Secure by Default Caddy is the only web server that uses HTTPS by default. A hardened TLS stack with modern protocols preserves privacy and exposes MITM attacks.
Config API As its primary mode of configuration, Caddy's REST API makes it easy to automate and integrate with your apps.
No Dependencies Because Caddy is written in Go, its binaries are entirely self-contained and run on every platform, including containers without libc.
Modular Stack Take back control over your compute edge. Caddy can be extended with everything you need using plugins.
✔ Static sites ✔ Dynamic sites ✔ Reverse proxy ✔ Dynamic config ✔ Extensible core ✔ Automagic TLS Features General Caddy 2 was boldly engineered to simplify your infrastructure and give you control over the edge of your compute platform.
Architecture EXTENSIBLE Caddy can embed any Go application as a plugin, and has first-class support for plugins of plugins.
MINIMAL GLOBAL STATE Global state is common in servers, but tends to be error-prone and a bottleneck, so Caddy 2 uses a novel design that limits global state.
LIGHTWEIGHT For all its features, Caddy runs lightly and efficiently with relatively low memory footprint and high throughput.
MULTI-CORE When the going gets tough, Caddy gets going on more CPUs. Go's scheduler understands Go code, and goroutines are more lightweight than system threads.
STATIC BINARY Caddy is a single executable file with no dependencies, not even libc. Literally just needs some metal and a kernel. Put Caddy in your PATH and run it. Done.
CROSS-PLATFORM Caddy runs on Windows, macOS, Linux, BSD, Android, Solaris, 32-bit, amd64, ARM, aarch64, mips64… almost anything to which Go compiles.
Configuration JSON STRUCTURE Caddy's native config format is JSON, so it is familiar and highly interoperable with existing systems and tools.
REST API Caddy's configuration is received through a REST endpoint as a single JSON document, making it highly programmable.
CONFIG FILES OPTIONAL You can use config files with Caddy's CLI, which converts them to API requests for you under the hood.
CONFIG ADAPTERS Bring your own config! Config adapters translate various config formats (Caddyfile, TOML, NGINX, etc.) into Caddy's native JSON.
THE CADDYFILE An easy, intuitive way to configure your site. It's not scripting, and not hard to memorize. Rolls off the fingers. You'll really like it.
UNIFIED CONFIG All configuration is contained within a single JSON document so there are fewer hidden factors affecting your config.
PARTIAL UPDATES When you have just small changes to make, Caddy's API lets you update just the relevant parts of its config.
FINE-GRAINED CONTROL Caddy's native JSON exposes the actual fields allocated in memory by the running server to give you more control.
EXPORT You can export a live copy of Caddy's current configuration with a GET request to its API.
EFFICIENT RELOADS Config updates are finely tuned for efficiency so you can reload config dozens of times per second.
GRACEFUL RELOADS Config changes take effect without downtime or closing sockets—even on Windows.
CONFIG VALIDATION You can use Caddy's CLI to preview and validate configurations before applying them.
Basic Features THE CADDYFILE An easy, intuitive way to configure your site. It's not scripting, and not hard to memorize. Rolls off the fingers. You'll really like it.
STATIC FILES By default, Caddy will serve static files in the current working directory. It's so brilliantly simple and works fast.
DYNAMIC SITES Caddy can also be used to serve dynamic sites with templates, proxying, FastCGI, and by the use of plugins.
COMMAND LINE INTERFACE Customize how Caddy runs with its simple, cross-platform command line interface; especially great for quick, one-off server instances.
PLUGINS Caddy can be extended with plugins. All apps, Caddyfile directives, HTTP handlers, and other features are plugins! They're easy to write and get compiled in directly.
MULTI-CORE When the going gets tough, Caddy gets going on more CPUs. Go's scheduler understands Go code, and goroutines are more lightweight than system threads. So yeah, it's fast.
EMBEDDABLE Writing another program or web service that could use a powerful web server or reverse proxy? Caddy can be used like a library in your Go program.
CADDYFILE VALIDATION Caddy can parse and verify your Caddyfile without actually running it.
PROCESS LOG Caddy can write a log of all its significant events, especially errors. Log to a file, stdout/stderr, or a local or remote system log!
LOG ROLLING When log files get large, Caddy will automatically rotate them to conserve disk space.
Security and Privacy Caddy's flagship features are security and privacy. Caddy is the first and only web server to enable HTTPS automatically and by default.
TLS TLS 1.3 TLS 1.3 is the newest standard for transport security, which is faster and more secure than its predecessors.
MODERN CIPHER SUITES Caddy uses the best crypto technologies including AES-GCM, ChaCha, and ECC by default, balancing security and compatibility. You can customize which ciphers are allowed.
MEMORY SAFETY Caddy is the only web server in its class that is impervious to bugs like Heartbleed and buffer overflows because it is written in the memory-safe language of Go.
CLIENT AUTHENTICATION With TLS client auth, you can configure Caddy to allow only certain clients to connect to your service.
HARDENED STACK Caddy is proudly written in Go, and its TLS stack is powered by the robust crypto/tls package in the Go standard library, trusted by the world's largest content distributors.
PCI COMPLIANT Companies choose Caddy because its TLS configuration is PCI-compliant by default. It has even saved some companies hours before losing certification!
SCALABLE STORAGE TLS assets are stored on disk, but the storage mechanism can be swapped out for custom implementations so you can deploy and coordinate a fleet of Caddy instances.
KEY ROTATION Caddy is cited as the only web server to rotate TLS session ticket keys by default. This helps preserve forward secrecy, i.e. visitor privacy.
SERVER NAME INDICATION Caddy uses the TLS extension Server Name Indication (SNI) to be able to host multiple sites on a single interface. Like most features, this just works.
REDIRECT HTTP TO HTTPS Caddy's automatic HTTPS feature includes redirecting HTTP to HTTPS for you by default.
Certificates AUTO OBTAIN Caddy obtains certificates for you automatically using Let's Encrypt. Any ACME-compatible CA can be used. Caddy was the first web server to implement this technology.
AUTO RENEW Never deal with certificates again! Certificates are automatically renewed in the background before they get close to expiring.
DYNAMIC CERT LOADING Caddy is the only web server that can obtain certificates during a TLS handshake and use it right away.
BRING YOUR OWN If you still prefer to manage certificates yourself, you can give Caddy your certificate and key files (PEM format) like you're used to.
BULK CERT LOADING If you manage many certificates yourself, you can give Caddy an entire folder to load certificates from.
EASY SELF-SIGNED CERTS For easy local development and testing, Caddy can generate and manage self-signed certificates for you without any hassle.
SAN CERTIFICATES Caddy fully accepts SAN certificates for times when you may be managing your own SAN certificates and wish to use those instead.
CLUSTER SUPPORT Caddy can share managed certificates stored on disk with other instances and synchronize renewals in fleet deployments.
SCALABLE Caddy's certificate management scales well up to tens of thousands of sites and tens of thousands of certificates per instance.
WILDCARDS When needed, Caddy can obtain and renew wildcard certificates for you when you have many related subdomains to serve.
OCSP STAPLING Caddy staples OCSP responses to every qualifying certificate by default. Caddy's OCSP stapling is more robust against network failure than other web servers.
CACHING Every OCSP response is cached on disk to preserve integrity through restarts, in case the responder goes down or the network link is being attacked.
MUST-STAPLE Caddy can be configured to obtain Must-Staple certificates, which requires that certificate to always have the OCSP response stapled.
BACKGROUND UPDATES Unlike other web servers, Caddy updates OCSP responses in the background, asynchronously of any requests, well before their expiration.
PRE-VALIDATED An OCSP response will not be stapled unless it checks out for validity first, to make sure it's something clients will accept.
REVOCATION HANDLING If a managed certificate is discovered by OCSP to be revoked, Caddy will automatically try to replace the certificate.
ACME Protocol HTTP CHALLENGE Caddy can solve the HTTP challenge to obtain certificates. You can also configure Caddy to proxy these challenges to other processes.
TLS-ALPN CHALLENGE Caddy solves the TLS-ALPN challenge which happens on port 443 and does not require opening port 80 at all.
FLEET COORDINATION Caddy coordinates the obtaining and renewing of certificates in cluster configurations for both HTTP and TLS-ALPN challenges!
DNS CHALLENGE Caddy solves the DNS challenge which does not involve opening any ports on the machine. There are integrations for all major DNS providers!
REVOCATION If one of your private keys becomes compromised, you can use Caddy to easily revoke the affected certificates.
CUSTOMIZABLE CA Caddy is designed to be used with any ACME-compatible certificate authority, which you can customize with a single command line flag.
ROBUST TO FAILURES Caddy is the only web server and only major ACME client that was not disrupted by CA changes and outages, or OCSP responder hiccups.
HTTP Server Caddy's HTTP server has a wide array of modern features, high performance, and is easy to deploy.
Site Features DIRECTORY BROWSING List files and folders with Caddy's attractive, practical design or according to your own custom template.
VIRTUAL HOSTS Serve multiple sites from the same IP address with the Caddyfile.
CONFIGURABLE BINDING You can select which network interfaces to which you bind the listener, giving you more access control over your site.
MARKDOWN Let Caddy render your Markdown files as HTML on-the-fly. You can embed your Markdown in a template and parse out front matter.
TEMPLATES A powerful and improved alternative to Server-Side Includes, templates allow you to make semi-dynamic sites quickly and easily.
CUSTOM ERROR PAGES Show user-friendly error pages when things go wrong, or write the error details to the browser for dev environments.
LOGGING Caddy takes copious notes according to your favorite log format. Log errors and requests to a file, stdout/stderr, or a local or remote system log.
REQUEST SIZE LIMITS You can limit the size of request bodies that go through Caddy to prevent abuse of your network bandwidth.
TIMEOUTS Enabling timeouts can be a good idea when your server may be prone to slowloris attacks or you want to free up resources from slow networks.
Web Protocols HTTP/1.1 Still commonly used in plaintext, development, and debug environments, Caddy has solid support for HTTP/1.1.
HTTP/2 It's time for a faster web. Caddy uses HTTP/2 right out of the box. No thought required. HTTP/1.1 is still used when clients don't support HTTP/2.
HTTP/3 With the IETF-standard-draft version of QUIC, sites load faster and connections aren't dropped when switching networks.
WEBSOCKETS Caddy supports making WebSocket connections directly to local programs' stdin/stdout streams that work a little bit like CGI.
IPV6 Caddy supports both IPv4 and IPv6. In fact, Caddy runs full well in an IPv6 environment without extra configuration.
FASTCGI Serve your PHP site behind Caddy securely with just one simple line of configuration. You can even specify multiple backends.
HTTP Spec BASIC AUTHENTICATION Protect areas of your site with HTTP basic auth. It's simple to use and secure over HTTPS for most purposes.
REDIRECTS Caddy can issue HTTP redirects with any 3xx status code, including redirects using <meta> tags if you prefer.
HEADERS Customize the response headers so that some headers are removed or others are added.
Reverse Proxy BASIC PROXYING Caddy can act as a reverse proxy for HTTP requests. You can also proxy transparently (preserve the original Host header) with one line of config.
LOAD BALANCING Proxy to multiple backends using a load balancing policy of your choice: random, least connections, round robin, IP hash, or header.
SSL TERMINATION Caddy is frequently used as a TLS terminator because of its powerful TLS features.
WEBSOCKET PROXY Caddy's proxy middleware is capable of proxying websocket connections to backends as well.
HEALTH CHECKS Caddy marks backends in trouble as unhealthy, and you can configure health check paths, intervals, and timeouts for optimal performance.
RETRIES When a request to a backend fails to connect, Caddy will try the request with other backends until one that is online accepts the connection.
HEADER CONTROLS By default, most headers will be carried through, but you can control which headers flow upstream and downstream.
DYNAMIC BACKENDS Proxy to arbitrary backends based on request parameters such as parts of the domain name or header values.
Amenities CLEAN URIS Elegantly serve files without needing the extension present in the URL. These look nicer to visitors and are easy to configure.
REWRITES Caddy has powerful request URI rewriting capabilities that support regular expressions, conditionals, and dynamic values.
RESPONSE STATUS CODES Send a certain status code for certain requests.
COMPRESSION Compress content on-the-fly using gzip, Zstandard, or brotli.
CaddyAn open source Go community project
- Snippet from Wikipedia: Caddy (web server)
Caddy is an extensible, cross-platform, open-source web server written in Go.
The name "Caddy" refers both to a helper for tedious tasks, and a way to organize multiple parts into a simplified system. At its core, Caddy is an extensible platform for deploying long-running services ("apps") using a single, unified configuration that can be updated on-line with a REST API. Official Caddy distributions ship with a set of standard modules which include HTTP server, TLS automation, and PKI apps. It is best known for its automatic HTTPS features.