<small>Caddy is licensed with the Apache 2.0 open source license.</small>
</div>
</div>
</div>
<sectionclass="alternate">
<divclass="wrapper">
<divclass="side-by-side">
<divclass="side-by-side-content">
<h3>Fewer moving parts</h3>
<p>
Caddy simplifies your infrastructure. It takes care of TLS certificate renewals, OCSP stapling, static file serving, reverse proxying, Kubernetes ingress, and more.
<imgsrc="/resources/images/moving-parts.svg"alt="Caddy does the work of your WAF, web server, ingress, reverse proxy, TLS terminator, logging, caching, and TLS certificate management.">
</div>
</div>
</section>
<sectionclass="alternate">
<divclass="wrapper">
<divclass="side-by-side">
<divclass="side-by-side-content">
<h3>Best-in-class security</h3>
<p>
<b>Caddy is the only web server to use HTTPS automatically and by default.</b>
Caddy obtains and renews TLS certificates for your sites automatically. It even staples OCSP responses. Its novel certificate management features are the most mature and reliable in its class.
Written in Go, Caddy offers greater memory safety than servers written in C. A hardened TLS stack powered by the Go standard library serves a significant portion of all Internet traffic.
</p>
<!-- <p>
A hardened TLS stack powered by the Go standard library serves a significant portion of all Internet traffic.
<imgsrc="/resources/images/caddy-circle-lock.svg"alt="Caddy is the only server to use HTTPS automatically and by default">
</div>
</div>
</section>
<sectionclass="alternate">
<divclass="wrapper">
<divclass="side-by-side">
<divclass="side-by-side-content">
<h3>Backed by Ardan</h3>
<p>
<ahref="https://www.ardanlabs.com">Ardan Labs</a> is the trusted partner of the Caddy Web Server open source project, providing enterprise-grade support to our clients.
</p>
<p>
Together, we consult and train, as well as develop, install, and maintain Caddy and its plugins to ensure your infrastructure runs smoothly and efficiently. Contact us to get started!
Caddy is both a flexible, efficient static file server and a powerful, scalable reverse proxy.
</p>
<p>
Use it to serve your static site with compression, template evaluation, Markdown rendering, and more.
</p>
<p>
Or use it as a dynamic reverse proxy to any number of backends, complete with active and passive health checks, load balancing, circuit breaking, caching, and more.
<imgsrc="/resources/images/proxy-file-server.svg"alt="Caddy is the only server to use HTTPS automatically and by default">
</div>
</div>
</section>
<sectionclass="alternate">
<divclass="wrapper">
<h1id="cli">1-Liners</h1>
<h2>
These commands are <b>production-ready</b>. When given a domain name, Caddy will use <b>HTTPS by default</b>, which provisions and renews certificates for you.*
</h2>
<divclass="footnote">* Requires domain's public A/AAAA DNS records pointed at your machine.</div>
</div>
<divclass="wrapper">
<divclass="code-caption">Quick, local file server</div>
Caddy is dynamically configurable with a <b>RESTful JSON API</b>. Config updates are <b>graceful</b>, even on Windows.
<br><br>
Using JSON gives you <b>absolute control</b> over the edge of your compute platform, and is perfect for <b>dynamic</b> and <b>automated</b> deployments.
</h2>
</div>
<divclass="wrapper">
<divclass="code-caption">Set a new configuration</div>
Caddy 2 was boldly engineered to simplify your infrastructure and give you control over the edge of your compute platform.
</p>
<h4>Architecture</h4>
<divclass="features">
<divclass="feature">
<h5>Extensible</h5>
<p>
Caddy can embed any Go application as a plugin, and has first-class support for plugins of plugins.
</p>
</div>
<divclass="feature">
<h5>Minimal Global State</h5>
<p>
Global state is common in servers, but tends to be error-prone and a bottleneck, so Caddy 2 uses a novel design that limits global state.
</p>
</div>
<divclass="feature">
<h5>Lightweight</h5>
<p>
For all its features, Caddy runs lightly and efficiently with relatively low memory footprint and high throughput.
</p>
</div>
<divclass="feature">
<h5>Multi-core</h5>
<p>
When the going gets tough, Caddy gets going on more CPUs. Go's scheduler understands Go code, and goroutines are more lightweight than system threads.
</p>
</div>
<divclass="feature">
<h5>Static Binary</h5>
<p>
Caddy is a single executable file with no dependencies, not even libc. Literally just needs some metal and a kernel. Put Caddy in your PATH and run it. Done.
</p>
</div>
<divclass="feature">
<h5>Cross-Platform</h5>
<p>
Caddy runs on Windows, macOS, Linux, BSD, Android, Solaris, 32-bit, amd64, ARM, aarch64, mips64... almost anything to which Go compiles.
Caddy's configuration is received through a REST endpoint as a single JSON document, making it highly programmable.
</p>
</div>
<divclass="feature">
<h5>Config Files Optional</h5>
<p>
You can use config files with Caddy's CLI, which converts them to API requests for you under the hood.
</p>
</div>
<divclass="feature">
<h5>Config Adapters</h5>
<p>
Bring your own config! Config adapters translate various config formats (Caddyfile, TOML, NGINX, etc.) into Caddy's native JSON.
</p>
</div>
<divclass="feature">
<h5>The Caddyfile</h5>
<p>
An easy, intuitive way to configure your site. It's not scripting, and not hard to memorize. Rolls off the fingers. You'll really like it.
</p>
</div>
<divclass="feature">
<h5>Unified Config</h5>
<p>
All configuration is contained within a single JSON document so there are fewer hidden factors affecting your config.
</p>
</div>
<divclass="feature">
<h5>Partial Updates</h5>
<p>
When you have just small changes to make, Caddy's API lets you update just the relevant parts of its config.
</p>
</div>
<divclass="feature">
<h5>Fine-Grained Control</h5>
<p>
Caddy's native JSON exposes the actual fields allocated in memory by the running server to give you more control.
</p>
</div>
<divclass="feature">
<h5>Export</h5>
<p>
You can export a live copy of Caddy's current configuration with a GET request to its API.
</p>
</div>
<divclass="feature">
<h5>Efficient Reloads</h5>
<p>
Config updates are finely tuned for efficiency so you can reload config dozens of times per second.
</p>
</div>
<divclass="feature">
<h5>Graceful Reloads</h5>
<p>
Config changes take effect without downtime or closing sockets—even on Windows.
</p>
</div>
<divclass="feature">
<h5>Config Validation</h5>
<p>
You can use Caddy's CLI to preview and validate configurations before applying them.
</p>
</div>
</div>
<h4>Basic Features</h4>
<divclass="features">
<divclass="feature">
<h5>The Caddyfile</h5>
<p>
An easy, intuitive way to configure your site. It's not scripting, and not hard to memorize. Rolls off the fingers. You'll really like it.
</p>
</div>
<divclass="feature">
<h5>Static Files</h5>
<p>
By default, Caddy will serve static files in the current working directory. It's so brilliantly simple and works fast.
</p>
</div>
<divclass="feature">
<h5>Dynamic Sites</h5>
<p>
Caddy can also be used to serve dynamic sites with templates, proxying, FastCGI, and by the use of plugins.
</p>
</div>
<divclass="feature">
<h5>Command Line Interface</h5>
<p>
Customize how Caddy runs with its simple, cross-platform command line interface; especially great for quick, one-off server instances.
</p>
</div>
<divclass="feature">
<h5>Plugins</h5>
<p>
Caddy can be extended with plugins. All apps, Caddyfile directives, HTTP handlers, and other features are plugins! They're easy to write and get compiled in directly.
</p>
</div>
<divclass="feature">
<h5>Multi-core</h5>
<p>
When the going gets tough, Caddy gets going on more CPUs. Go's scheduler understands Go code, and goroutines are more lightweight than system threads. So yeah, it's fast.
</p>
</div>
<divclass="feature">
<h5>Embeddable</h5>
<p>
Writing another program or web service that could use a powerful web server or reverse proxy? Caddy can be used like a library in your Go program.
</p>
</div>
<divclass="feature">
<h5>Caddyfile Validation</h5>
<p>
Caddy can parse and verify your Caddyfile without actually running it.
</p>
</div>
<divclass="feature">
<h5>Process Log</h5>
<p>
Caddy can write a log of all its significant events, especially errors. Log to a file, stdout/stderr, or a local or remote system log!
</p>
</div>
<divclass="feature">
<h5>Log Rolling</h5>
<p>
When log files get large, Caddy will automatically rotate them to conserve disk space.
</p>
</div>
</div>
</section>
<sectionclass="wrapper">
<h3>Security and Privacy</h3>
<pclass="section-heading">
Caddy's flagship features are security and privacy. Caddy is the first and only web server to enable HTTPS automatically and by default.
</p>
<h4>TLS</h4>
<divclass="features">
<divclass="feature">
<h5>TLS 1.3</h5>
<p>
TLS 1.3 is the newest standard for transport security, which is faster and more secure than its predecessors.
</p>
</div>
<divclass="feature">
<h5>Modern Cipher Suites</h5>
<p>
Caddy uses the best crypto technologies including AES-GCM, ChaCha, and ECC by default, balancing security and compatibility. You can customize which ciphers are allowed.
</p>
</div>
<!-- <div class="feature">
<h5>Man-in-the-Middle Detection</h5>
<p>
For HTTPS requests, Caddy can detect when the client's TLS connection is likely being intercepted by a proxy, giving you the ability to act accordingly.
</p>
</div> -->
<divclass="feature">
<h5>Memory Safety</h5>
<p>
Caddy is the only web server in its class that is impervious to bugs like Heartbleed and buffer overflows because it is written in the memory-safe language of Go.
</p>
</div>
<divclass="feature">
<h5>Client Authentication</h5>
<p>
With TLS client auth, you can configure Caddy to allow only certain clients to connect to your service.
</p>
</div>
<divclass="feature">
<h5>Hardened Stack</h5>
<p>
Caddy is proudly written in Go, and its TLS stack is powered by the robust crypto/tls package in the Go standard library, trusted by the world's largest content distributors.
</p>
</div>
<divclass="feature">
<h5>PCI Compliant</h5>
<p>
Companies choose Caddy because its TLS configuration is PCI-compliant by default. It has even saved some companies hours before losing certification!
</p>
</div>
<divclass="feature">
<h5>Scalable Storage</h5>
<p>
TLS assets are stored on disk, but the storage mechanism can be swapped out for custom implementations so you can deploy and coordinate a fleet of Caddy instances.
</p>
</div>
<divclass="feature">
<h5>Key Rotation</h5>
<p>
Caddy is cited as the <ahref="https://jhalderm.com/pub/papers/forward-secrecy-imc16.pdf">only web server</a> to rotate TLS session ticket keys by default. This helps preserve forward secrecy, i.e. visitor privacy.
</p>
</div>
<divclass="feature">
<h5>Server Name Indication</h5>
<p>
Caddy uses the TLS extension Server Name Indication (SNI) to be able to host multiple sites on a single interface. Like most features, this just works.
Caddy obtains certificates for you automatically using Let's Encrypt. Any ACME-compatible CA can be used. Caddy was the first web server to implement this technology.
</p>
</div>
<divclass="feature">
<h5>Auto Renew</h5>
<p>
Never deal with certificates again! Certificates are automatically renewed in the background before they get close to expiring.
</p>
</div>
<divclass="feature">
<h5>Dynamic Cert Loading</h5>
<p>
Caddy is the only web server that can obtain certificates during a TLS handshake and use it right away.
</p>
</div>
<divclass="feature">
<h5>Bring Your Own</h5>
<p>
If you still prefer to manage certificates yourself, you can give Caddy your certificate and key files (PEM format) like you're used to.
</p>
</div>
<divclass="feature">
<h5>Bulk Cert Loading</h5>
<p>
If you manage many certificates yourself, you can give Caddy an entire folder to load certificates from.
</p>
</div>
<divclass="feature">
<h5>Easy Self-Signed Certs</h5>
<p>
For easy local development and testing, Caddy can generate and manage self-signed certificates for you without any hassle.
</p>
</div>
<divclass="feature">
<h5>SAN Certificates</h5>
<p>
Caddy fully accepts SAN certificates for times when you may be managing your own SAN certificates and wish to use those instead.
</p>
</div>
<divclass="feature">
<h5>Cluster Support</h5>
<p>
Caddy can share managed certificates stored on disk with other instances and synchronize renewals in fleet deployments.
</p>
</div>
<divclass="feature">
<h5>Scalable</h5>
<p>
Caddy's certificate management scales well up to tens of thousands of sites and tens of thousands of certificates per instance.
</p>
</div>
<divclass="feature">
<h5>Wildcards</h5>
<p>
When needed, Caddy can obtain and renew wildcard certificates for you when you have many related subdomains to serve.
</p>
</div>
</div>
<h4>OCSP</h4>
<divclass="features">
<divclass="feature">
<h5>Stapling</h5>
<p>
Caddy staples OCSP responses to every qualifying certificate by default. Caddy's OCSP stapling is more robust against network failure than other web servers.
</p>
</div>
<divclass="feature">
<h5>Caching</h5>
<p>
Every OCSP response is cached on disk to preserve integrity through restarts, in case the responder goes down or the network link is being attacked.
</p>
</div>
<divclass="feature">
<h5>Must-Staple</h5>
<p>
Caddy can be configured to obtain Must-Staple certificates, which requires that certificate to always have the OCSP response stapled.
</p>
</div>
<divclass="feature">
<h5>Background Updates</h5>
<p>
Unlike other web servers, Caddy updates OCSP responses in the background, asynchronously of any requests, well before their expiration.
</p>
</div>
<divclass="feature">
<h5>Pre-Validated</h5>
<p>
An OCSP response will not be stapled unless it checks out for validity first, to make sure it's something clients will accept.
</p>
</div>
<divclass="feature">
<h5>Revocation Handling</h5>
<p>
If a managed certificate is discovered by OCSP to be revoked, Caddy will automatically try to replace the certificate.
</p>
</div>
</div>
<h4>ACME Protocol</h4>
<divclass="features">
<divclass="feature">
<h5>HTTP Challenge</h5>
<p>
Caddy can solve the HTTP challenge to obtain certificates. You can also configure Caddy to proxy these challenges to other processes.
</p>
</div>
<divclass="feature">
<h5>TLS-ALPN Challenge</h5>
<p>
Caddy solves the TLS-ALPN challenge which happens on port 443 and does not require opening port 80 at all.
</p>
</div>
<divclass="feature">
<h5>Fleet Coordination</h5>
<p>
Caddy coordinates the obtaining and renewing of certificates in cluster configurations for both HTTP and TLS-ALPN challenges!
</p>
</div>
<divclass="feature">
<h5>DNS Challenge</h5>
<p>
Caddy solves the DNS challenge which does not involve opening any ports on the machine. There are integrations for all major DNS providers!
</p>
</div>
<divclass="feature">
<h5>Revocation</h5>
<p>
If one of your private keys becomes compromised, you can use Caddy to easily revoke the affected certificates.
</p>
</div>
<divclass="feature">
<h5>Customizable CA</h5>
<p>
Caddy is designed to be used with any ACME-compatible certificate authority, which you can customize with a single command line flag.
</p>
</div>
<divclass="feature">
<h5>Robust to Failures</h5>
<p>
Caddy is the only web server and only major ACME client that was not disrupted by CA changes and outages, or OCSP responder hiccups.
</p>
</div>
</div>
</section>
<sectionclass="wrapper">
<h3>HTTP Server</h3>
<pclass="section-heading">
Caddy's HTTP server has a wide array of modern features, high performance, and is easy to deploy.
</p>
<h4>Site Features</h4>
<divclass="features">
<divclass="feature">
<h5>Directory Browsing</h5>
<p>
List files and folders with Caddy's attractive, practical design or according to your own custom template.
</p>
</div>
<divclass="feature">
<h5>Virtual Hosts</h5>
<p>
Serve multiple sites from the same IP address with the Caddyfile.
</p>
</div>
<divclass="feature">
<h5>Configurable Binding</h5>
<p>
You can select which network interfaces to which you bind the listener, giving you more access control over your site.
</p>
</div>
<divclass="feature">
<h5>Markdown</h5>
<p>
Let Caddy render your Markdown files as HTML on-the-fly. You can embed your Markdown in a template and parse out front matter.
</p>
</div>
<divclass="feature">
<h5>Templates</h5>
<p>
A powerful and improved alternative to Server-Side Includes, templates allow you to make semi-dynamic sites quickly and easily.
</p>
</div>
<divclass="feature">
<h5>Custom Error Pages</h5>
<p>
Show user-friendly error pages when things go wrong, or write the error details to the browser for dev environments.
</p>
</div>
<divclass="feature">
<h5>Logging</h5>
<p>
Caddy takes copious notes according to your favorite log format. Log errors and requests to a file, stdout/stderr, or a local or remote system log.
</p>
</div>
<!-- <div class="feature">
<h5>Debugging</h5>
<p>
Peer inside Caddy with Go's pprof and expvar functions, which allow you to profile the process and see exported variables.
</p>
</div> -->
<!-- <div class="feature">
<h5>Static Compressed Assets</h5>
<p>
When serving static files to a client that supports compression, Caddy will prefer serving the compressed equivalent if it exists on disk.
</p>
</div> -->
<divclass="feature">
<h5>Request Size Limits</h5>
<p>
You can limit the size of request bodies that go through Caddy to prevent abuse of your network bandwidth.
</p>
</div>
<divclass="feature">
<h5>Timeouts</h5>
<p>
Enabling timeouts can be a good idea when your server may be prone to slowloris attacks or you want to free up resources from slow networks.
</p>
</div>
</div>
<h4>Web Protocols</h4>
<divclass="features">
<divclass="feature">
<h5>HTTP/1.1</h5>
<p>
Still commonly used in plaintext, development, and debug environments, Caddy has solid support for HTTP/1.1.
</p>
</div>
<divclass="feature">
<h5>HTTP/2</h5>
<p>
It's time for a faster web. Caddy uses HTTP/2 right out of the box. No thought required. HTTP/1.1 is still used when clients don't support HTTP/2.
</p>
</div>
<divclass="feature">
<h5>HTTP/3</h5>
<p>
With the IETF-standard-draft version of QUIC, sites load faster and connections aren't dropped when switching networks.
</p>
</div>
<divclass="feature">
<h5>WebSockets</h5>
<p>
Caddy supports making WebSocket connections directly to local programs' stdin/stdout streams that work a little bit like CGI.
</p>
</div>
<divclass="feature">
<h5>IPv6</h5>
<p>
Caddy supports both IPv4 and IPv6. In fact, Caddy runs full well in an IPv6 environment without extra configuration.
</p>
</div>
<divclass="feature">
<h5>FastCGI</h5>
<p>
Serve your PHP site behind Caddy securely with just one simple line of configuration. You can even specify multiple backends.
</p>
</div>
</div>
<h4>HTTP Spec</h4>
<divclass="features">
<!-- <div class="feature">
<h5>HTTP/2 Server Push</h5>
<p>
Server push is when the server sends resources to the client before being asked for it, and it speeds up page loading.
</p>
</div> -->
<divclass="feature">
<h5>Basic Authentication</h5>
<p>
Protect areas of your site with HTTP basic auth. It's simple to use and secure over HTTPS for most purposes.
</p>
</div>
<divclass="feature">
<h5>Redirects</h5>
<p>
Caddy can issue HTTP redirects with any 3xx status code, including redirects using <code><meta></code> tags if you prefer.
</p>
</div>
<divclass="feature">
<h5>Headers</h5>
<p>
Customize the response headers so that some headers are removed or others are added.
</p>
</div>
</div>
<h4>Reverse Proxy</h4>
<divclass="features">
<divclass="feature">
<h5>Basic Proxying</h5>
<p>
Caddy can act as a reverse proxy for HTTP requests. You can also proxy transparently (preserve the original Host header) with one line of config.
</p>
</div>
<divclass="feature">
<h5>Load Balancing</h5>
<p>
Proxy to multiple backends using a load balancing policy of your choice: random, least connections, round robin, IP hash, or header.
</p>
</div>
<divclass="feature">
<h5>SSL Termination</h5>
<p>
Caddy is frequently used as a TLS terminator because of its powerful TLS features.
</p>
</div>
<divclass="feature">
<h5>WebSocket Proxy</h5>
<p>
Caddy's proxy middleware is capable of proxying websocket connections to backends as well.
</p>
</div>
<divclass="feature">
<h5>Health Checks</h5>
<p>
Caddy marks backends in trouble as unhealthy, and you can configure health check paths, intervals, and timeouts for optimal performance.
</p>
</div>
<divclass="feature">
<h5>Retries</h5>
<p>
When a request to a backend fails to connect, Caddy will try the request with other backends until one that is online accepts the connection.
</p>
</div>
<divclass="feature">
<h5>Header Controls</h5>
<p>
By default, most headers will be carried through, but you can control which headers flow upstream and downstream.
</p>
</div>
<!-- <div class="feature">
<h5>Internal Requests</h5>
<p>
Caddy supports the X-Accel-Redirect (or X-Sendfile) header so you can protect resources from "external" requests.
</p>
</div> -->
<divclass="feature">
<h5>Dynamic Backends</h5>
<p>
Proxy to arbitrary backends based on request parameters such as parts of the domain name or header values.
</p>
</div>
</div>
<h4>Amenities</h4>
<divclass="features">
<divclass="feature">
<h5>Clean URIs</h5>
<p>
Elegantly serve files without needing the extension present in the URL. These look nicer to visitors and are easy to configure.
</p>
</div>
<divclass="feature">
<h5>Rewrites</h5>
<p>
Caddy has powerful request URI rewriting capabilities that support regular expressions, conditionals, and dynamic values.
</p>
</div>
<divclass="feature">
<h5>Response Status Codes</h5>
<p>
Send a certain status code for certain requests.
</p>
</div>
<divclass="feature">
<h5>Compression</h5>
<p>
Compress content on-the-fly using gzip, Zstandard, or brotli.
