To your lager point, I think paying for software is and has been the norm in many places. So nothing new.
"If your company uses official Caddy binaries internally, in production, or distributes Caddy, a commercial license is required."
"If I build Caddy from source, which license applies?"
"The source code is Apache 2.0 licensed."
I.e. you get a byte-identical binary file if you build it yourself, but you don't have to pay the $25/mo. Even though you end up at exactly the same place.
Something like http://ansuz.sooke.bc.ca/entry/23 "What colour are your bits?" I suppose.
The point was that it was easy to install and get it running. Your point defeats the purpose of Caddy in the first place.
It would be much easier to:
1. `sudo apt-get install nginx-extras python-certbot-nginx`
2. Add simple config with 80 port of your website/reverse proxy.
3. `sudo certbot --nginx`
4. Do not worry that you will be sued by nginx for using it for commercial purposes.
Init scripts are included as well, both for FreeBSD, macOS and for a several different init systems used by various Linux distros. https://github.com/mholt/caddy/tree/master/dist/init
FreeBSD even has it in the ports collection, so you can install it using the package manager that is included with FreeBSD
doas pkg install caddy
doas sysrc caddy_cert_email="email@example.com"
doas sysrc caddy_enable="YES"
doas service caddy start
The source code of Caddy is distributed under the terms of the Apache 2.0 license.
Wait I have to manually install Caddy and then fight with systemd to make it start at boot? What is this? The 90?
Since they don't have have a standard package repo, you will also always be behind. You will have to keep track of their releases manually to make sure you are not missing an important update.
It is unclear why these folks have are resisting standard packages. Is that incompatible with their business model?
It made me move away from Caddy and instead go with Nginx and Certbot. Which is simpler and less maintenance work in the long run.
Depends on how tied you are to Linux, but yes it might be worth it. I for one enjoy FreeBSD a lot. I run it on my servers and on one of my laptops. My desktop runs Linux.
If you have the time and motivation I’d say give FreeBSD a shot. Rent a VPS from Vultr for example or install it in a VM on your computer. Play around with it and see how you like it.
As for packaging of Caddy on Linux there seems to be a few issues if you look at the following thread: https://caddy.community/t/packaging-caddy/61
- The developers dislike packaging because it makes “plugins” unavailable. Personally I think they are concerned about this for no reason. There ought to be a version of Caddy in the package repos without additional “plugins” that covers the 99% use-case which is to serve static files from a directory with automatic Let’s Encrypt certificate retrieval. Just like how the package on FreeBSD does. Those wanting customization can build from source; that is very reasonable and in line with the expectations one should have to an OS-provided package manager IMO.
- They don’t want to deal with packaging until they hit v1.0.
- They are talking about wanting to package an auto-updater. This is absolutely the wrong approach IMO, but it relates back to their differing in opinion about the role of their “plugins” in relation to the packages that would be provided. I think Debian for example have the same view as me on this issue, and I think other distros do as well probably. Packages provided by the OS-provided package manager should never rely on needing to retrieve additional files not included in the package, except via dependency on other packages, or where they are forced to do so for licensing reasons.
- Speaking of Debian, they mentioned that packaging software written in Go can be problematic/difficult in relation to the Debian packaging guidelines because it seems that to follow those guidelines strictly, each dependency must be packaged separately rather than being vendored. Whether this is correct or not I don’t know.
- Like I said further up ITT, the source is covered by Apache 2.0 and they also confirm in that thread that compiling binaries and distributing binaries you’ve compiled from source is allowed in accordance with those terms. That’s really no surprise — if that was not allowed then they couldn’t have said that the source was covered by Apache 2.0 — but it’s reassuring to see that they intentionally want to allow redistribution of binaries built from source.
It seems to me that if packages for Linux are going to become available any time soon, someone needs to step up and take care of it. For example by providing a PPA for Ubuntu users. There was one PPA mentioned in the thread but I didn’t look into whether it is still maintained or not since I do not have any current plans of running Caddy on Ubuntu myself.
Maybe the plugin support should be fixed then.
From a comment in the thread:
> Go is currently really bad at “runtime” plugins. There are only three strategies I know of that may work:
> 1. Launch separate processes for each plugin and use ipc to communicate. Potentially slow, and a lot could go wrong.
> 2. Some kind of cgo based plugin system that runs dynamicly linked go libs and uses a cgo shim on both sides for compatibility. Introduces build complexity and makes cross-compiling harder.
> Until the go authors implement better support for runtime plugins, I think we are stuck with built-time.
> arguably much better
That's very arguable because Caddy is great at what it does. I think you should try it out before assuming it can't come close to nginx. Also older software also tends to be stuck with legacy cruft so project age isn't such a simple signal.
I also had this issue whenever I did migrations between different web applications that used different URL structures. To preserve my sanity, I now do the redirects in the application level.
I predict nginx will get a lot of competition from servers and applications written in Rust. Until then, it's viable as a reverse proxy and serves static files really great.
I'm open to competition in the field, I'm not sure the competition will emerge as fast as people think (just like competition for other well-established software bricks in general).
On the Windows side of the world, I've found IIS to be decently user friendly to set up and administer.
Caddy looks promising and simpler. Might have to take a look this weekend.
Even if you do manage to screw up the config, just do 'nginx -s reload' - this verifies the syntax of the config and then attempts to apply it. If it is successfully applied, (e.g. dns is resolvable for listed upstreams, etc etc etc) then launches new worker processes, and then messages old worker processes running the old config to not accept any new requests (so all go to the new workers) and to shut down after finishing handling any existing requests. If it fails to apply, old workers stay up and keep running with the old config.
Specifically, the DNS RFCs define that, given no search domain, a relative hostname (e.g. google.com) is equivalent to its absolute hostname form (e.g. google.com.).
This is used in SSL validation as well, a certificate valid for one is valid for the other, and in reverse.
Every webserver SHOULD respond to both names identically, or redirect from one to the other.
Let's try that. https://news.ycombinator.com./ yup, works. https://www.nginx.com./ as well. In fact, nginx, Apache2, IIS, the Google Cloud load balancers, AWS's load balancers, every major site supports this.
The only http servers breaking the RFC for absolutely no reason are Caddy and Traefik.
And the issue has been closed as WONTFIX months ago.
Do you really want to use an http server that doesn't even consider following the RFCs? And pay for that?
Link to the issue for other users who, like me, were concerned by your post:
According to the author, the issue is that (a) there are two RFCs that contradict each other on this distinction, and (b) most browsers do not treat them as such for the purpose of their same-origin policies. So he thinks it's best not to enable this alternate URL by default since it's trivial to add it as another route if you want.
I don't know if he's right or wrong, nevertheless, this clearly isn't a dude that doesn't give a shit.
Also, the concerns over security the caddy developer make aren't clarified and probably don't exist.
No dot has 2 possible meanins and with dot has one _to the resolving application_. To the server resolving a virtual host there is only one for both.
The quote is:
"RFC 1034 says the two domains are the same, but RFC 3986 says they are not. I can't tell from the http spec whether the two Host values are equivalent or not."
> The rightmost domain label of a fully qualified domain name in DNS may be followed by a single "." and should be if it is necessary to distinguish between the complete domain name and some local domain.
When there is no ambiguity then they mean the same thing.
Anyway, as a sibling comment said, it's not a good rfc to use for this purpose.
Besides, it was deprecated by the WHATWG URL spec anyway, which does use the same equality rules as RFC 1034 (after normalization)
I use the abiosoft Docker image and that has simplified it again.
The restrictive personal license applies to the official binaries.
> Caddy obtains certificates for you automatically using Let's Encrypt.
Not sure why that is not stated front and centre. It's a good idea.
It might not mention the implementation details but the concept is what matters.
Just looks like it's capable of doing that which doesn't take much attention.
It doesn't matter where the backend points and you can use it to serve a docker container if you want, but that's different from the the host/frontend address you use.
1. Add a public A record (or host file) local.mydomain.tld to 127.0.0.1.
2. Host my dns with cloudflare (other providers have plugins too), and install the caddy plugin to do the dns challenge for certs.
3. Caddy can then get certs for local.mydomain.tld and serve them locally.
But seriously, how do you know what their site is? Perhaps they're serving a lot of static content out of memory and a fat pipe, in which case the web server would in fact be a bottleneck.
Also completely unfond of the license. "Caddy is amazing because it has 3 line config files!" So what? That's only appealing to people who are afraid of editing config files. Here's a harsh reality for the developers (who probably won't see this, ah well), but "config files" are not worth $25/mo or whatever the full scale commercial costs of this are. Do the developers think that their target audience are incapable of configuring traditional webservers?
Just because you pour your blood sweat and tears into a thing doesn't mean that thing is worth any money.