
Caddy – The HTTP/2 Web Server with Automatic HTTPS - tambourine_man
https://caddyserver.com/
======
shubhamjain
Has there been a shift in the recent times regarding developer teams paying
for software? Yes, ease-of-use is great benefit. It takes a while to become
accustomed to nginx configuration. But, $25/instance/month for a web server
when nginx can do almost everything (and arguably much better than a server
that was only launched two years ago)? It doesn't sit with me well.

~~~
gizzlon
It's open source, right? Just compile it yourself?

To your lager point, I think paying for software is and has been the norm in
many places. So nothing new.

~~~
shubhamjain
I didn't notice that you can compile the source code yourself to avoid paying
for the license. That seems to be a nice alternative.

~~~
mfontani
Only if you're not using it for commercial stuff. If you're using it for
commercial stuff you have to pay the $25/month

~~~
wccrawford
My understanding of their license page is different.

"If your company uses official Caddy binaries internally, in production, or
distributes Caddy, a commercial license is required."

"If I build Caddy from source, which license applies?" "The source code is
Apache 2.0 licensed."

[https://caddyserver.com/products/licenses](https://caddyserver.com/products/licenses)

~~~
jstanley
Would be interested to see how reproducible builds would interact in such a
situation.

I.e. you get a byte-identical binary file if you build it yourself, but you
don't have to pay the $25/mo. Even though you end up at exactly the same
place.

Something like
[http://ansuz.sooke.bc.ca/entry/23](http://ansuz.sooke.bc.ca/entry/23) "What
colour are your bits?" I suppose.

------
kuschku
And it still doesn't obey the DNS specs.

Specifically, the DNS RFCs define that, given no search domain, a relative
hostname (e.g. google.com) is equivalent to its absolute hostname form (e.g.
google.com.).

This is used in SSL validation as well, a certificate valid for one is valid
for the other, and in reverse.

Every webserver SHOULD respond to both names identically, or redirect from one
to the other.

Let's try that.
[https://news.ycombinator.com./](https://news.ycombinator.com./) yup, works.
[https://www.nginx.com./](https://www.nginx.com./) as well. In fact, nginx,
Apache2, IIS, the Google Cloud load balancers, AWS's load balancers, every
major site supports this.

The only http servers breaking the RFC for absolutely no reason are Caddy and
Traefik.

And the issue has been closed as WONTFIX months ago.

Do you really want to use an http server that doesn't even consider following
the RFCs? And pay for that?

~~~
piaste
You make it sound like the Caddy folks completely ignored the issue without
providing a reason ("absolutely no reason", "doesn't even consider"). After
looking into it, I find your post misleading and unfair, to say the _least_.

Link to the issue for other users who, like me, were concerned by your post:

[https://github.com/mholt/caddy/issues/1632](https://github.com/mholt/caddy/issues/1632)

According to the author, the issue is that (a) there are two RFCs that
contradict each other on this distinction, and (b) most browsers do not treat
them as such for the purpose of their same-origin policies. So he thinks it's
best not to enable this alternate URL by default since it's trivial to add it
as another route if you want.

I don't know if he's right or wrong, nevertheless, this clearly isn't a dude
that doesn't give a shit.

~~~
jimktrains2
I don't see two conflicting rfcs. Can you point them out? I saw a link to a
Mozilla thread discussing how they should do normalization, but nothing about
not supporting the fully qualified format. Cross origin rules don't apply for
looking up a virtual host.

Also, the concerns over security the caddy developer make aren't clarified and
probably don't exist.

No dot has 2 possible meanins and with dot has one _to the resolving
application_. To the server resolving a virtual host there is only one for
both.

~~~
piaste
> I don't see two conflicting rfcs. Can you point them out?

The quote is:

"RFC 1034 says the two domains are the same, but RFC 3986 says they are not. I
can't tell from the http spec whether the two Host values are equivalent or
not."

~~~
jimktrains2
From rfc 3986:

> The rightmost domain label of a fully qualified domain name in DNS may be
> followed by a single "." and should be if it is necessary to distinguish
> between the complete domain name and some local domain.

When there is no ambiguity then they mean the same thing.

Anyway, as a sibling comment said, it's not a good rfc to use for this
purpose.

------
julienmarie
What's interesting is that it's the first web server not focused on speed or
performance but on the user experience. I love nginx, but I had huge headaches
configuring it when migrating php apps with huge htaccess rules to nginx. The
terms of the license do not seem super clear though.

~~~
car_invasion
> I had huge headaches configuring it when migrating php apps with huge
> htaccess rules to nginx

I also had this issue whenever I did migrations between different web
applications that used different URL structures. To preserve my sanity, I now
do the redirects in the application level.

I predict nginx will get a lot of competition from servers and applications
written in Ru￸st. Until then, it's viable as a reverse proxy and serves static
files really great.

~~~
VeejayRampay
nginx has a huge headstart though, it's stable, it's fast, has lots of
modules, etc.

I'm open to competition in the field, I'm not sure the competition will emerge
as fast as people think (just like competition for other well-established
software bricks in general).

~~~
originalsimba
and already supports HTTP/2 and HTTPS.

------
emit_time
As someone who is very very new to hosting their own services, this was an
absolute piece of cake to set up. My first time dealing with reverse proxies
and it took less than an hour to get going.

~~~
movedx
Good to know! As someone who's been called a senior SRE (I hate titles) and
has been building platforms for years, it's great to see high quality software
enabling new comers like your self to the field. Welcome! :-)

~~~
staticfish
For someone that hates titles, you both managed to call yourself an 'SRE', and
drop the fact that you've been 'building platforms for years'.

Just sayin'.

~~~
ben_jones
I think it's always valid to point out in threads like this that everyone on
the internet appears to be a domain expert. Everyone is also an entrepreneur,
and anyone who is unemployed is still a consultant. It can make it more
difficult to evaluate the merits of a piece of software like Caddy because you
have to wade through all the "this is awesome!"s which are somehow considered
valid contributions to discussion.

------
bryanrasmussen
$25 a month is quite pricey for the edge case of someone starting up sites
that will be commercial but unsure as to profitability yet. I guess I will
build and donate $25 for the year. probably building is the smart thing to do
anyway for a server you're getting for its security capabilities.

~~~
ume
Agree. The $25/month stops me using it for side projects that generate small
but non-zero revenue. Love the concept but not sure when I'll get to play time
on something genuinely personal.

~~~
bschwindHN
Can't you build it from source?

~~~
mfontani
I'm sure he can build it from source, but the "personal" license forbids using
it for commercial purposes, so the point is moot.

~~~
captncraig
Those licences are only for the binaries. The source is Apache licenced and
can be used for commercial purposes for free.

------
jstanley
They make it quite hard to find out, but here it is:

> Caddy obtains certificates for you automatically using Let's Encrypt.

Not sure why that is not stated front and centre. It's a good idea.

~~~
bfred_it
That’s literally the first selling point in 128px font. [1]

It might not mention the implementation details but the concept is what
matters.

[1] [https://i.imgur.com/hdEaKpG.jpg](https://i.imgur.com/hdEaKpG.jpg)

~~~
jstanley
No, it's not. It doesn't explain how it works, which makes it come across as
an empty marketing promise.

------
brianlund
A great alternative that we use in production for thousands of domains is
[https://github.com/GUI/lua-resty-auto-ssl](https://github.com/GUI/lua-resty-
auto-ssl)

~~~
mholt
Caddy can handle tens of thousands of domains. I know a couple of instances
which do.

------
petecooper
Previously (not comprehensive):

[https://news.ycombinator.com/item?id=12719563](https://news.ycombinator.com/item?id=12719563)

[https://news.ycombinator.com/item?id=9452606](https://news.ycombinator.com/item?id=9452606)

[https://news.ycombinator.com/item?id=11152761](https://news.ycombinator.com/item?id=11152761)

Related:
[https://caddyserver.com/blog/caddy-0_11-telemetry.html](https://caddyserver.com/blog/caddy-0_11-telemetry.html)

------
onion2k
When Caddy was first released I tried, and failed, to get Caddy to serve an
https site _locally_. Is that possible now? The docs[1] hint that it could be
if I add an entry to my hosts file pointing an IP address of, say, a Docker
container, as that wouldn't technically be localhost or an IP address. It
doesn't explicitly say it's possible though. Adding something to the tutorials
would be immensely helpful if it does work.

[1] [https://caddyserver.com/docs/automatic-
https](https://caddyserver.com/docs/automatic-https)

~~~
manigandham
What do you mean by locally? If you want HTTPS automatically then the site
must be publically available so that LetsEncrypt can verify the domain and
grant the certificate. If that's not possible then you'll have to use the DNS
challenge and setup a provider plugin.

It doesn't matter where the backend points and you can use it to serve a
docker container if you want, but that's different from the the host/frontend
address you use.

~~~
onion2k
Locally in the sense of a local development server. The issue is that there
wouldn't be a real DNS record pointing at the machine (well, unless you added
one to point at your external IP address, but that's a pain for teams). I
guess if Let's Encrypt needs to verify the domain it won't be possible...

~~~
captncraig
Let's encrypt can issue certs without needing a public route to your machine
if you use the dns challenge. Here's what I do:

1\. Add a public A record (or host file) local.mydomain.tld to 127.0.0.1.

2\. Host my dns with cloudflare (other providers have plugins too), and
install the caddy plugin to do the dns challenge for certs.

3\. Caddy can then get certs for local.mydomain.tld and serve them locally.

------
pronoiac
That's interesting! I wonder how it scales relative to, say, nginx.

~~~
kondro
It scales fine… if you don’t already know the answer to that question, none of
the web servers you choose are the bottle-neck to your site. ;-)

~~~
cthalupa
That's a bizarre statement. I could be incredibly familiar with nginx, apache,
varnish, etc., and have a website that scales to a huge amount of users and
still have no idea how well Caddy scales compared to nginx due to having no
prior knowledge of Caddy's performance. Indeed, questions about scaling and
performance are going to be some of the very first questions asked by anyone
running such a site - that's going to be one of the single most important
characteristics about it. (Hopefully after security....)

------
originalsimba
I am immediately suspicious of this because HTTP/2 only operates over HTTPS.
So for them to market this webserver as being special because it defaults to
HTTP/2 over HTTPS is the sort of thing a snake oil vendor would do.

Also completely unfond of the license. "Caddy is amazing because it has 3 line
config files!" So what? That's only appealing to people who are afraid of
editing config files. Here's a harsh reality for the developers (who probably
won't see this, ah well), but "config files" are not worth $25/mo or whatever
the full scale commercial costs of this are. Do the developers think that
their target audience are incapable of configuring traditional webservers?

Just because you pour your blood sweat and tears into a thing doesn't mean
that thing is worth any money.

~~~
ngngngng
The idea was brilliant before the web changed and made him a bit obsolete.

