
Caddy – HTTP/2 Web Server with Automatic HTTPS - amjd
https://caddyserver.com/
======
mholt
For a fun time, run it with the -quic flag and browse your site in Chrome.

Thanks to work by Lucas Clemente and Marten Seemann, Caddy ships with a
functional (but still experimental) QUIC server implementation[1] you can try
right now. Your site will load better over slow connections or while you
switch from WiFi to cellular, for instance.

There was a lightning talk by Lucas Clemente just last week at dotGo about
QUIC; looking forward to the video being posted!

[1]: [https://github.com/lucas-clemente/quic-go](https://github.com/lucas-
clemente/quic-go)

~~~
anc84
Where does QUIC sit in between TCP and HTTP2?

~~~
pliu
QUIC is a UDP based network protocol. It is an alternative to HTTP2 or HTTP,
which are TCP based protocols. If you visit google.com with a recent version
of chrome, you're using QUIC. Open chrome://net-internals/#quic in another tab
and click a connection UID to see the conversation.

~~~
niftich
This is mostly correct but not entirely.

HTTPS is layered such that it's HTTP > TLS > TCP.

QUIC replaces the 'TLS > TCP' portion with 'QUIC > UDP', which you can then
run HTTP or HTTP2 on top of.

QUIC is _not_ an alternative to HTTP2 (yet), although there's work underway to
(re-)define HTTP2 in terms of QUIC [1], thereby replacing the awkward
transport protocol aspects of HTTP2 with the very similar mechanisms provided
by QUIC.

[1] [https://tools.ietf.org/html/draft-shade-quic-
http2-mapping-0...](https://tools.ietf.org/html/draft-shade-quic-
http2-mapping-00)

~~~
jimktrains2
Is QUIC specific to HTTP, or can it be used as as transport mechanism for
arbitrary protocols?

~~~
niftich
QUIC stands on its own; it just so happens that QUIC and SPDY (the predecessor
of HTTP/2) show some convergent evolution.

You could use QUIC to transport other L7 protocols, but tracking down generic-
enough implementations may be difficult, or at least was the case in the past
[1][2]. Maybe things are better now [3].

[1] [https://daniel.haxx.se/blog/2016/07/20/curl-wants-to-
quic/](https://daniel.haxx.se/blog/2016/07/20/curl-wants-to-quic/)

[2]
[http://stackoverflow.com/questions/17896432/](http://stackoverflow.com/questions/17896432/)

[3] [https://github.com/google/proto-quic](https://github.com/google/proto-
quic)

------
andmarios
Automatic HTTPS may be the most recognized feature of Caddy but there are more
that make it worth to give it a spin.

Configuration simplicity is important. For example try to properly setup a
reverse proxy to jenkins from nginx. Almost impossible unless you google and
find the specific nginx snippet on jenkins' documentation. Deviate and you
will have jenkins complaining for an improperly configured proxy. On Caddy the
same can be achieved in one line with just two words (and a slash).

The last feature I used for a project, was Caddy's browse directive which lets
you browse files in a directory (unless there is an index.html). Not only it
has a great look from the start, not only it can be templated, but also Caddy
will be happy to serve you the contents of the directory as JSON. So now, not
only humans but also software can browse your files easily.

Have a look at its modules to get some ideas:
[https://caddyserver.com/docs](https://caddyserver.com/docs)

Also go makes it easy to write a module of your own or alter one of the
existing ones to fit your needs.

------
giancarlostoro
So Caddy has been discussed a few times prior. My question is who is using
this for production? (In other words, not for a personal or hobby site, but an
actual product). Is anyone using it stand alone (no nginx or apache involved -
CloudFlare is ok edit: or similar), sorry if it was asked in a previous
discussion I want to know if anything has changed since.

~~~
throwow34393
It's a patchwork of different Go libraries, Caddy doesn't implement anything
itself like Apache or Nginx would. It's useful but certainly not "proved" in a
production environment. The heck you don't need Caddy if you are already using
Go to develop servers, just use the libraries it uses directly.

~~~
0xmohit
Do you really need a throwaway account to make a comment?

~~~
kbenson
I think there's a certain subset of people that like to read HN but not
submit/comment, either for reasons of anonymity or just because they don't
want to. They may be inclined to comment from time to time, and create a temp
account to do so, since HN does not allow anonymity. Also, it's possible they
_had_ an account that was banned/shadow banned, and refuse to make another
full account out of protest.

That is, this may not be someone using a throwaway account in lieu of their
real account, but because they don't have a real account to use.

------
IanCal
All of this does look lovely.

I guess a big question for me would be:

What are the downsides? When should I _not_ use this?

Also, is there something similar to the Baader-Meinhof phenomenon, but for
finding software that neatly solves a problem after you've just spent a while
doing yourself?

------
AshleysBrain
HTTP/2 out of the box with a free download is a great reason to use it over
nginx. Are any performance comparisons available though? I suspect nginx's
maturity may make up some of the difference.

~~~
finnn
Does nginx not have HTTP/2 or a free download? I've got a couple of webservers
that as best I can tell are responding to HTTP2 requests, running nginx (that
I didn't pay for)

~~~
jacques_chester
> _Does nginx not have HTTP /2 or a free download?_

It does, as a module, not as core code[0].

However:

> _The module is experimental, caveat emptor applies._

[0]
[https://nginx.org/en/docs/http/ngx_http_v2_module.html](https://nginx.org/en/docs/http/ngx_http_v2_module.html)

------
IshKebab
Also worth mentioning if you want automatic HTTPS is Russ Cox's implementation
that works with Go's built in HTTP server:

[https://github.com/rsc/letsencrypt](https://github.com/rsc/letsencrypt)

I've used it. It's incredibly easy. It seems he now recommends this more
official-looking package:

[https://godoc.org/golang.org/x/crypto/acme/autocert](https://godoc.org/golang.org/x/crypto/acme/autocert)

------
d3ckard
I cannot recommend it enough. In comparison to nginx, you can setup the
reverse proxy with configuration many times shorter and https without hassle.
Also, what it does is much more readable.

It is not without quirks and there is no installer in debian repo, but I
recommend giving it a try.

~~~
aargh_aargh
ITP (intent to package): [https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=810890](https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=810890)

------
shorsher
Matt Holt, the creator of Caddy, was recently a guest on the Go Time podcast
where he talks quite a bit about Caddy as well as TLS and ACME protocols[0]. I
really enjoyed this episode and recommend others check it out.

[0]: [https://changelog.com/gotime/14](https://changelog.com/gotime/14)

------
Retr0spectrum
I already have nginx set up to use HTTP/2\. Would I get any benefits from
switching?

~~~
caleblloyd
Only if you wanted to use the automated Let's Encrypt certificate feature in
Caddy.

~~~
Retr0spectrum
That sounds like a very useful feature for new installations. However, I
already have automatic renewal set up with nginx.

------
bruno2223
For static files:

1\. Mimefy plug: check

2\. Gzip feature: check

3\. HTTP/2 new protocol: check

4\. Auto SSL: check

5\. Cache static files on memory to avoid reading then on disk, then Mimefy,
then gzip on eveeeery request: MISSING <\- this plug would be nice to have it
to reduce disk I/O and CPU.

~~~
nazrak
I am not a caddy developer but I notice the same plugin missing so I started
my own. [https://github.com/nicolasazrak/caddy-
cache](https://github.com/nicolasazrak/caddy-cache) still needs a lot of work
thought.

~~~
mholt
Cool! Thanks for working on this. It may address one of the oldest issues:
[https://github.com/mholt/caddy/issues/10](https://github.com/mholt/caddy/issues/10)

------
jimktrains2
With HTTP2, you're no longer limited to a request-response model. What
interfaces do people use to expose this new paradigm to the application? (e.g.
application-based push).

~~~
niftich
They usually don't, because server push is a micro-optimization, proper use of
which requires a lot of effort from the server (and perhaps the client), as
evident from Google's research on the matter [1].

Google has coded their App Engine to read a 'push manifest' generated by a
tool they publish [2]. Akamai gives you a GUI [3]. Cloudflare wants you to
manually set headers [4] defined by the brand-new W3C draft 'preload' [5].
Last year, the Caddy devs blogged that HTTP/2 Push is essentially a big
exercise for the reader/implementer [6].

I'm currently unaware of any web application framework which exposes idiomatic
hooks to use HTTP/2 to push additional resources to the server. There are some
generic server push addons or plugins that use older techniques from the
websocket or pre-websocket days.

[1]
[https://news.ycombinator.com/item?id=12224258](https://news.ycombinator.com/item?id=12224258)

[2] [https://github.com/GoogleChrome/http2-push-
manifest](https://github.com/GoogleChrome/http2-push-manifest)

[3] [https://blogs.akamai.com/2016/04/are-you-ready-for-
http2-ser...](https://blogs.akamai.com/2016/04/are-you-ready-for-http2-server-
push.html)

[4] [https://blog.cloudflare.com/announcing-support-for-
http-2-se...](https://blog.cloudflare.com/announcing-support-for-
http-2-server-push-2/)

[5] [https://www.w3.org/TR/preload/#server-push-
http-2](https://www.w3.org/TR/preload/#server-push-http-2)

[6] [https://caddyserver.com/blog/implementing-http2-isnt-
trivial](https://caddyserver.com/blog/implementing-http2-isnt-trivial)

~~~
jimktrains2
Push was just an example. HTTP2 is fundamentally different from HTTP; it's
more akin to TCP in L7. Can applications take advantage of this fundamental
paradigm shift? What about for non-browser clients (api clients)?

~~~
danudey
Nothing that HTTP/1.1 and websockets can't do, really.

~~~
jimktrains2
Sure but then you have a websockets interface , is there something similar for
http2 that breaks the resource requests-resource response model?

------
kennysmoothx
I run high load nginx servers that typically serve static 1-2 GB files
typically at 1gbit throughput.

Does any one have experience with Caddy know how well it can be used to serve
large static files with heavy load or is caddy best used to serve smaller
files like a website.

Thanks!

~~~
mholt
Caddy should serve you well. I would be interested in knowing how it goes for
you if you try it! If it has problems, let's fix them.

------
dangrossman
It allows wildcard domains/subdomains with automatic certificates... how does
it know which certificate to serve without an IP-to-domain mapping? Is it
relying on SNI (i.e. no support for old devices)?

~~~
mholt
Yes, Caddy uses SNI. Although it can't get wildcard certificates from Let's
Encrypt, it can obtain certificates during the TLS handshake for a specific
server name.

------
reactor
Looks like HTTP/2 and Auto HTTPS servers written in Go are on the rise,
[https://armor.labstack.com/](https://armor.labstack.com/)

Good to have options!

------
coolsunglasses
Apache license for any wondering

------
j1vms
How battle-ready (that is, security-wise) is this beautiful piece of software?

~~~
mholt
In what regards? Caddy has never been vulnerable to a number of widespread
CVEs including Heartbleed, DROWN, POODLE, and BEAST. Caddy uses
TLS_FALLBACK_SCSV to prevent protocol downgrade attacks. Like any other web-
facing service, it's exposed to DDoS attacks. I've never heard of a machine
being compromised by exploiting Caddy...

If anyone has a vulnerability to report, please email me directly[1] (or if
it's not serious, a PR would be faster).

[1]:
[https://github.com/mholt/caddy/blob/master/CONTRIBUTING.md#v...](https://github.com/mholt/caddy/blob/master/CONTRIBUTING.md#vulnerabilities)

------
Toast_
Any benchmarks?

