📜 Post with us on Reddit
📝 Create a new article
🏭 Create a company page
🇬🇧 - in English
🇫🇷 - en Français (FR)
🇵🇹 - em Português (PT)
🇩🇪 - in Deutsch (DE)
🇯🇵 - 日本語で (JA)
Sponsored articles

You can edit almost every page by Creating an account. Otherwise, see the FAQ.

Caddy (web server)

From EverybodyWiki Bios & Wiki

Caddy
File:Caddy 2 lock icon and wordmark logo.svg
Original author(s)Matthew Holt
Initial release28 April 2015; 9 years ago (2015-04-28)
Stable release
2.6.4 / 14 February 2023; 22 months ago (2023-02-14)[1]
Repositorygithub.com/caddyserver/caddy
Written inGo[2]
Engine
    Operating systemBSD variants, Linux, Plan 9, macOS and Windows
    PlatformIA-32 (i386), x86-64, ARM, MIPS, S390X
    TypeWeb server, reverse proxy server
    LicenseApache 2
    Website{{URL|example.com|optional display text}}

    Search Caddy (web server) on Amazon.

    The Caddy web server is an extensible,[3] cross-platform,[4] open-source[5] web server written in Go.[6]

    The name "Caddy" refers both to a helper for tedious tasks, and a way to organize multiple parts into a simplified system.[7] At its core, Caddy is an extensible platform for deploying long-running services ("apps") using a single, unified configuration that can be updated on-line with a REST API.[8] Official Caddy distributions ship with a set of standard modules which include HTTP server, TLS automation, and PKI apps.[9] It is best known for its automatic HTTPS features.[10]

    Matthew Holt initially began solo development on Caddy in 2014,[7] followed by the first public release in 2015.[11][12] The software soon became a public collaboration with hundreds of contributors on GitHub.[13] To satisfy requirements from a growing community with a variety of use cases, eventually Caddy was completely rewritten from scratch, and a version 2.0 was released on May 4, 2020.[14]

    Caddy binaries are officially distributed for Linux, Windows, macOS, BSD, and other operating systems on a variety of architectures including x86-64, ARM, MIPS, S390X, and PPC64.[15] Official distributions of 32-bit binaries were discontinued, but Caddy can be compiled from source for IA-32 architectures.[16] Packages for Debian, CentOS, RedHat, and Arch Linux are also maintained,[17] as well as an official Docker image.[18]

    Architecture[edit]

    The architecture of Caddy is organized into three main components: a command, the core library, and configuration modules.[19] The command is the extensible interface by which the program is executed; it can also load configuration files, run common modes, manage installed plugins, and offer relevant utility functions. The core library has APIs for loading, unloading, and managing configuration; but it does nothing particularly useful on its own. Most of Caddy's functionality is provided by modules, which are plugins that extend Caddy's configuration structure; for example, the HTTP server is a module.[20] Caddy modules implement various long-running services, web standards, and other useful features.

    Caddy's input is a JSON configuration document[21] which is received through an open socket via a RESTful HTTP API.[22][10] In the absence of an HTTP client, Caddy's command line interface can be used to load configuration files.[23] Config adapters may be used to convert other configuration formats to JSON. Existing adapters include the Caddyfile, which has first-class support in the command line; and YAML, TOML, NGINX, and several other formats.[24][10]

    When a configuration is received through its administration socket, Caddy decodes the configuration for all the specified modules, and starts running all the app modules.[10] When the app modules are being provisioned, they themselves may load and provision modules that they use. For example, the HTTP server is an app module which uses HTTP handler modules to handle HTTP requests; these handlers might use yet other modules to implement their functionality, and so on.[25] All these modules are provisioned during the config load phase.[19]

    Plugins are installed by statically compiling them directly into the Caddy binary.[7][10] Without plugins, Caddy's native configuration structure only has some basic options for administration and logging.[21] All other functionality must be provided by app modules. Official Caddy distributions ship with dozens of standard modules;[9] others can be added from the project's website,[15] using the xcaddy command line tool, or by manually compiling a custom build.[4]

    HTTP server[edit]

    The HTTP server is an app module that comes standard with official Caddy distributions.[20] It is primarily used as a static file server[26] and load-balancing reverse proxy.[27] While the basis of Caddy's HTTP features use the implementation found in Go's standard library,[28] a variety enhancements and customizations are available as middleware and exposed through configuration parameters:[10]

    Caddy's HTTP server handles requests according to configured routes in a middleware pattern. Routes are defined in a list, and each route that matches the request is applied to the middleware chain in order. Requests can be matched from a variety of parameters including HTTP method, hostname, remote address, header fields, path, query string, protocol, variable values, file existence, CEL expressions, and others as given by plugins. Once matched, handler modules are invoked, which may include a file server, a rewrite middleware, the reverse proxy, rate limiting, header manipulation, and template rendering, among other functions. Additionally, routes can be defined to be mutually exclusive to other routes, or terminal which ends the handler chain.

    By default, TLS is used automatically if any routes have a non-empty host matcher.[29] These are assumed to be site names or IP addresses that Caddy is serving, so Caddy will automatically procure and renew certificates for the configured hostnames and IP addresses. When automatic HTTPS is activated in this manner, Caddy will also redirect HTTP requests to their equivalent HTTPS location.

    TLS automation[edit]

    The TLS app comes standard with official Caddy distributions. It acts as a TLS server and is designed for automation. Caddy's TLS defaults are considered safe and modern.[30] In terms of securing private keys, Caddy is not vulnerable to memory safety vulnerabilities such as Heartbleed because it is written in Go.[31] One of the primary purposes of this module is to load TLS certificates into memory so they can be served to complete TLS handshakes. Certificate and key files may be loaded manually into the server, but they are usually automated by specifying subject names.[32] If loaded manually, Caddy does not auto-renew them. If automated, this app will automatically obtain and renew a certificate for each subject name. A given certificate will be automated according to the first matching automation policy for its subject name (typically a domain name or IP address). An automation policy consists of issuers and various certificate and management options such as key type, where to store the certificate, whether to manage the certificate "on-demand", and OCSP options. These automation features work for server certificates as well as client certificates. Wildcard certificates are supported.

    An issuer is a source for a certificate, and is typically an ACME certificate authority. Caddy fully supports the ACME protocol including the HTTP, TLS-ALPN, and DNS challenges, External Account Binding (EAB), multiple certificate chains, and smart retry heuristics. Caddy can also be its own issuer with its embedded PKI facilities. Multiple issuers may be specified for redundancy; if one fails to offer a certificate, the next will be tried.

    TLS certificates can be stored in a configurable storage backend, which is by default the local file system. Plugins exist for other kinds of storage backends such as databases.[33] Caddy instances which are configured to use the same storage backend will automatically act as part of a cluster and share certificate and OCSP assets, including coordinating the obtaining and renewal of certificates.

    Typically, certificates are managed at startup when the config is loaded. However, Caddy supports a mode of automation called On-Demand TLS which defers certificate operations until the very moment the certificate is needed, during the TLS handshake. This is suitable for use cases where the site owner does not control the domain names served by the server.[34] In order to be safe from abuse on a public network, the site owner should configure an endpoint that Caddy will query to ask if a certificate may be obtained for the given Server Name Indication (SNI) in the handshake.

    Caddy implements OCSP stapling by default.[35] All loaded certificates which specify an OCSP responder in the Authority Information Access extension will have their OCSP response stapled, cached, and refreshed automatically as needed.[36] If an OCSP response indicates a status of Revoked for a managed certificate, Caddy will automatically attempt to replace the certificate with a new one.

    When serving TLS, Caddy will automatically rotate session ticket keys periodically to help preserve perfect forward secrecy.[37][38] These keys can also be stored in a configurable backend and used by a cluster of instances for improved performance in a distributed fashion.

    PKI facilities[edit]

    The PKI app comes standard with official Caddy distributions. Its primary purpose is to manage certificate authorities (CAs) that can sign certificates. Each CA consists of a root and intermediate key pair, which are persisted to storage. The CA identifier, common name, and key information can be customized in this module's configuration. This app is primarily used by other modules when self-signed certificates are needed.[39]

    Financial backing[edit]

    Until 2016, Caddy operated completely by volunteer effort without any financial support, simply accepting occasional donations from the website.[40] As the community grew and demands on development time and infrastructure increased, it was determined that the project needed to be funded.[41] Light Code Labs, LLC was formed to become the legal entity behind Caddy. With legal legitimacy, the first form of financial support came from a Mozilla Open Source Support (MOSS) program award in 2016.[42] This provided funding for 6 months of development work, and was crucial to Caddy's growth at that stage.[43]

    Seeking longer-term sustainability, Light Code Labs soon offered two optional products for businesses and professionals: the Engineering Package and Sponsorship, which granted access to developer resources and publicity for customers.[44] With only little success, it was decided that phasing out those products in favor of distributing official binaries intended for commercial use under a proprietary license could increase sustainability by requiring companies to pay for the right to use specially-offered, pre-compiled Caddy binaries that powered their business.[45] This would leave Caddy's source code under the Apache license for anyone to use freely, while still being able to gain some financial backing from able companies as customers.

    Although more sustainable, this approach was widely viewed with disdain, and was met with confusion and controversy over the next few years.[46][47][48][49][50] Product offerings were adjusted to clarify terms, gain the respect of the community, and better capture the commercial sector.[51] In 2019, Light Code Labs entered into a partnership with Ardan Studios to design and build an all-new version of Caddy which could be utilized more readily in enterprise environments: Caddy Enterprise.[52] However, on October 3, 2019, the two companies announced plans[53] to instead revert all plans for commercial licenses, which included:

    • reaffirming that Caddy will continue to be, and always has been, an Apache-licensed open source project,
    • dropping all proprietary licensing and removing the business use case restrictions from official binaries,
    • dropping plans for enterprise-only features,
    • rebranding the new version of Caddy simply as Caddy 2,
    • and eliminating all other existing business-only products, subscriptions, and services.

    Ardan Studios would proceed to offer professional training, Caddy development, and enterprise support to businesses, and provided funding for full-time open source development of the Caddy project for almost one year.[54] Shortly before the initial release of Caddy 2, an agreement was signed by Light Code Labs and Ardan Studios for the Caddy project (along with CertMagic, Caddy's core TLS automation library) to be acquired by API Layer, GmbH (later Stack Holdings, GmbH).[55] The transfer of ownership was announced later that year in September 2020, along with a two-year development contract.[56] This exchange did not alter the open source status or development cycle of the project.

    As of 2021, necessary financial support for the Caddy project continues by sponsorships through GitHub Sponsors, with ZeroSSL (a Stack Holdings company) being the primary, executive sponsor.[57]

    Influence[edit]

    Caddy has been used as the basis for other software projects and commercial services, and its reach extends into academic research and industry discussion.

    CoreDNS was created by Miek Gieben from a fork of Caddy v1 which was modified to serve DNS instead of HTTPS.[58] It leveraged Caddy's Caddyfile configuration format, plugin architecture, and use of the Go language.[59]

    Cloudflare implemented a machine-in-the-middle (MITM) detection service originally based on Caddy using its native MITM detection capabilities.[60][61] The same company also used Caddy to serve an experimental TLS 1.3 implementation while participating in the formation of the final TLS 1.3 specification.[62][63]

    Let's Encrypt considers Caddy's implementation of ACME to be the gold standard of ACME clients, and Caddy has become a model for similar software to follow.[64][30]

    Caddy has participated in a number of academic papers and enabled various Internet research. It has been referenced in relation to:

    • validating the feasibility of the ACME protocol in production servers,[30]
    • Internet-scale deployment of QUIC,[65]
    • a test framework for cloud failover mechanisms,[66]
    • measuring the security harm of TLS cryptography shortcuts,[67]
    • advocating the case for secure-by-default TLS,[68]
    • and improving the usability of deploying HTTPS.[35]

    References[edit]

    1. "Github Releases". Github Releases. Retrieved 2023-03-21.
    2. Gerrand, Andrew (17 February 2016). "Go 1.6 is released". golang.org. Retrieved 5 March 2016.
    3. "Extending Caddy - Caddy Documentation". caddyserver.com. Archived from the original on 2020-05-06. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    4. 4.0 4.1 "Build from source - Caddy Documentation". caddyserver.com. Archived from the original on 2020-05-29. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    5. LICENSE, caddyserver/caddy on GitHub, 2021-09-27, retrieved 2021-09-27
    6. "Go 1.6 is released - go.dev". go.dev. Retrieved 2021-09-27.
    7. 7.0 7.1 7.2 README.md, caddyserver/caddy on GitHub, 2021-09-27, retrieved 2021-09-27
    8. "Welcome - Caddy Documentation". caddyserver.com. Archived from the original on 2015-05-02. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    9. 9.0 9.1 imports.go, caddyserver/caddy on GitHub, 2021-09-27, retrieved 2021-09-27
    10. 10.0 10.1 10.2 10.3 10.4 10.5 Woodbeck, Adam (2021). Network programming with GO : code secure and reliable network services from Scratch. San Francisco, CA. pp. 217–239. ISBN 978-1-7185-0088-4. OCLC 1198449668. Search this book on
    11. "Release 0.5.0 · caddyserver/caddy". GitHub. Retrieved 2021-09-27.
    12. "Show HN: Caddy, a cross-platform HTTP/2 web server | Hacker News". news.ycombinator.com. Retrieved 2021-09-27.
    13. "Contributors to caddyserver/caddy". GitHub. Retrieved 2021-09-27.
    14. "Release v2.0.0 · caddyserver/caddy". GitHub. Retrieved 2021-09-27.
    15. 15.0 15.1 "Download Caddy". caddyserver.com. Archived from the original on 2015-05-02. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    16. "Build from source - Caddy Documentation". caddyserver.com. Archived from the original on 2020-05-29. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    17. "Install - Caddy Documentation". caddyserver.com. Archived from the original on 2020-05-06. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    18. "Caddy - Official Image". Docker Hub. Archived from the original on 2020-04-14. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    19. 19.0 19.1 "Architecture - Caddy Documentation". caddyserver.com. Archived from the original on 2020-04-14. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    20. 20.0 20.1 "Module http - Caddy Documentation". caddyserver.com. Archived from the original on 2020-05-06. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    21. 21.0 21.1 "JSON Config Structure - Caddy Documentation". caddyserver.com. Archived from the original on 2020-04-14. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    22. "API - Caddy Documentation". caddyserver.com. Archived from the original on 2020-03-02. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    23. "Command Line - Caddy Documentation". caddyserver.com. Archived from the original on 2020-03-02. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    24. "Config Adapters - Caddy Documentation". caddyserver.com. Archived from the original on 2020-04-14. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    25. Holt, Matthew (2019-12-04), The Engineering Challenges of long running go programs, Forge Utah, retrieved 2021-09-27
    26. "Static files quick-start - Caddy Documentation". caddyserver.com. Archived from the original on 2020-05-08. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    27. "Reverse proxy quick-start - Caddy Documentation". caddyserver.com. Archived from the original on 2020-05-08. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    28. Holt, Matthew (2015-05-27). "A Look Inside Caddy, a Web Server Written in Go". blog.gopheracademy.com. Archived from the original on 2015-05-30. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    29. "Automatic HTTPS - Caddy Documentation". caddyserver.com. Archived from the original on 2016-03-04. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    30. 30.0 30.1 30.2 Aas, Josh; Barnes, Richard; Case, Benton; Durumeric, Zakir; Eckersley, Peter; Flores-López, Alan; Halderman, J. Alex; Hoffman-Andrews, Jacob; Kasten, James; Rescorla, Eric; Schoen, Seth (2019-11-06). "Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web". Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. London United Kingdom: ACM: 2473–2487. doi:10.1145/3319535.3363192. ISBN 978-1-4503-6747-9.
    31. Internet Security Research Group. "What is memory safety and why does it matter?". Prossimo. Archived from the original on 2021-06-18. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    32. "Module tls.certificates.automate - Caddy Documentation". caddyserver.com. Archived from the original on 2021-09-27. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    33. "Storage Implementations · caddyserver/certmagic Wiki". GitHub. Retrieved 2021-09-27.
    34. Ellis, Jack (2020-06-10). "How to add unlimited custom domains to Laravel Vapor". Laravel News. Archived from the original on 2020-06-10. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    35. 35.0 35.1 Krombholz, Katharina; Mayer, Wilfried; Schmiedecker, Martin; Weippl, Edgar (2017). ""I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS". 26th USENIX Security Symposium USENIX Security 17: 1339–1356. ISBN 978-1-931971-40-9.
    36. Bock, Hanno (2020-09-16). "From what I know caddy also gets it right". Twitter. Archived from the original on 2020-09-16. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    37. Rutishauser, Dobin. "About TLS Perfect Forward Secrecy and Session Resumption – Compass Security Blog". Archived from the original on 2020-09-30. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    38. Taubert, Tim. "The future of session resumption - Forward secure PSK key agreement in TLS 1.3". timtaubert.de. Archived from the original on 2017-02-16. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    39. Malone, Mike (2019-09-17). "Run your own private CA & ACME server using step-ca". Smallstep. Archived from the original on 2019-09-17. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    40. "Download Caddy". 2016-03-10. Archived from the original on 2016-03-10. Retrieved 2021-09-27.
    41. "Is Caddy Free?". 2017-09-18. Archived from the original on 2017-09-18. Retrieved 2021-09-27.
    42. "Mozilla Awards $385,000 to Open Source Projects as part of MOSS "Mission Partners" Program | The Mozilla Blog". blog.mozilla.org. Retrieved 2021-09-27.
    43. "Caddy's MOSS Experience". 2018-11-23. Archived from the original on 2018-11-23. Retrieved 2021-09-27.
    44. "Introducing Options for Businesses". 2017-04-22. Archived from the original on 2017-04-22. Retrieved 2021-09-27.
    45. "Announcing Caddy Commercial Licenses". 2018-11-23. Archived from the original on 2018-11-23. Retrieved 2021-09-27.
    46. "Announcing Caddy Commercial Licenses | Hacker News". news.ycombinator.com. Retrieved 2021-09-27.
    47. Gangwere, Morgan (2019-04-30). "Let's Get Away From Slime Sourcing". HackerNoon.com. Retrieved 2021-09-27.
    48. "Caddy and the Importance of Licenses – Roberto Selbach". Retrieved 2021-09-27.
    49. "Caddy Proposal: Permanently change all proprietary licensing to open source | Hacker News". news.ycombinator.com. Retrieved 2021-09-27.
    50. "Sgt__Kabukiman on Twitter". Twitter. Archived from the original on 2021-09-27. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    51. "Caddy 0.10.10 Released Along With New Pricing Structure". 2017-10-09. Archived from the original on 2017-10-09. Retrieved 2021-09-27.
    52. "Announcing Caddy 1.0, Caddy 2, and Caddy Enterprise". 2019-04-25. Archived from the original on 2019-04-25. Retrieved 2021-09-27.
    53. "Proposal: Permanently change all proprietary licensing to open source · Issue #2786 · caddyserver/caddy". GitHub. Retrieved 2021-09-27.
    54. "Caddy Partnership With Light Code Labs". www.ardanlabs.com. Retrieved 2021-09-27.
    55. "Caddy and CertMagic have new ownership; no changes to licensing or development". Caddy Community. 2020-09-10. Retrieved 2021-09-27.
    56. "Caddy Server Acquired By Apilayer". www.ardanlabs.com. Retrieved 2021-09-27.
    57. "Sponsor @mholt on GitHub Sponsors". GitHub. Retrieved 2021-09-27.
    58. Understanding CoreDNS in Kubernetes - John Belamaric, Google & Cricket Liu, Francois Tur, Infoblox, retrieved 2021-09-27
    59. Belamaric, John (2019). Learning CoreDNS : configuring DNS for Cloud Native Environments. Cricket Liu (First ed.). Sebastopol, CA. ISBN 9781492047964. OCLC 1119557722. Search this book on
    60. TLS 1.3 in your web browser, Cloudflare, 2021-01-19, retrieved 2021-09-27
    61. "Monsters in the Middleboxes: Introducing Two New Tools for Detecting HTTPS Interception". The Cloudflare Blog. 2019-03-18. Retrieved 2021-09-27.
    62. Nick Sullivan [@grittygrease] (4 Mar 2016). "It's built in Go using custom versions @rlbarnes's Mint and @mholt6's Caddy" (Tweet) – via Twitter.
    63. Sullivan, Nick (2017-12-26). "Why TLS 1.3 isn't in browsers yet". The Cloudflare Blog. Archived from the original on 2017-12-26. Retrieved 2021-09-27. Unknown parameter |url-status= ignored (help)
    64. NYLUG Presents: Josh Aas - on - Let's Encrypt: A Free, Automated, and Open CA, retrieved 2021-09-27
    65. Rüth, Jan; Poese, Ingmar; Dietzel, Christoph; Hohlfeld, Oliver (2018), Beverly, Robert; Smaragdakis, Georgios; Feldmann, Anja, eds., "A First Look at QUIC in the Wild", Passive and Active Measurement, Cham: Springer International Publishing, 10771, pp. 255–268, arXiv:1801.05168, doi:10.1007/978-3-319-76481-8_19, ISBN 978-3-319-76480-1, retrieved 2021-09-27 Unknown parameter |s2cid= ignored (help)
    66. Vaněček, Štěpán (2016-03-02). "Test framework for cloud failover mechanisms" (PDF). Czech Technical University in Prague, Faculty of Information Technology Theses.
    67. Springall, Drew; Durumeric, Zakir; Halderman, J. Alex (2016-11-14). "Measuring the Security Harm of TLS Crypto Shortcuts". Proceedings of the 2016 Internet Measurement Conference. Santa Monica California USA: ACM: 33–47. doi:10.1145/2987443.2987480. ISBN 978-1-4503-4526-2.
    68. Stanek, Martin (2017-08-24). "Secure by default - the case of TLS". arXiv:1708.07569 [cs.CR].

    External links[edit]

    • Lua error in Module:Official_website at line 90: attempt to index field 'wikibase' (a nil value).
    • caddy on GitHub


    This article "Caddy (web server)" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Caddy (web server). Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.

    Page kept on Wikipedia This page exists already on Wikipedia.

    Retrieved from "https://en.everybodywiki.com/index.php?title=Caddy_(web_server)&oldid=4594712"
    License CC BY-SA 3.0
    Powered by MediaWiki
    Powered by Semantic MediaWiki