{{include "/includes/head.html"}}
{{include "/includes/header.html" "dark-header"}}

All features
You might want to sit down for this.

Features in this color are provided by available plugins.

Overview

Caddy is essentially a configuration management system that can run various apps like an HTTP server, TLS certificate manager, PKI facilities, and more. It can be extended with plugins known as config modules.

Caddy sports a flexible and powerful HTTP reverse proxy, on-line configuration API, and a robust, production-ready static file server, and serves all sites over HTTPS by default with automagic TLS certificates.

Overall program technical specifications

Language

The language choice is crucial for a web server. Most servers (NGINX, Apache, HAProxy, etc.) and their dependencies are written in C, which are vulnerable to catastrophic memory safety bugs like Heartbleed. Go programs like Caddy are impervious to a whole class of security vulnerabilities.
Go

Build artifacts

Caddy compiles directly to native CPU instructions. There is no interpreter required; and many instructions are architecture-optimized.
Platform-native static binary

Runtime dependencies

Caddy is statically compiled. Dynamically-linked applications can easily break in production and may be less secure as shared executable resources are loaded from various places around the system. Generally, Caddy binaries do not necessarily require external libraries — not even libc.
None

Compile time

On consumer hardware, standard Caddy builds compile in just a few seconds. This is crucial for rapid iteration, plugin development, and low-cost deployments.
5 seconds

Deployment environments

Caddy can go practically anywhere and be deployed a variety of ways. In general, upgrading is as simple as replacing the binary.
  • Command line interface
  • System service
  • Containers
  • Kubernetes
  • Embedded

Supply chain and releases

Go modules verify the integrity of our dependencies and we cryptographically sign our release artifacts so you know what you can trust.
Cryptographically verified

Operating systems

Caddy runs on every major platform for which Go compiles.
  • Linux
  • Windows
  • macOS
  • FreeBSD
  • OpenBSD
  • NetBSD
  • Android

Microarchitectures

Run Caddy with native code on numerous CPU platforms.
  • x86 (i386, i686)
  • x86-64 (AMD64)
  • ARM
  • ARM 64 (AArch64)
  • MIPS
  • MIPS64[LE]
  • PPC64[LE]
  • RISCV64
  • S390X
  • Apple Silicon (Apple ARM; M1, M2, etc.)

Regular expression engine

Caddy's regular expression language is based on the Thompson NFA and has numerous performance improvements over PCRE used by other web servers. It guarantees the runtime cost increases linearly instead of exponentially. This is ideal when evaluating untrusted input.

RE2 Syntax

RE2

Concurrency model

Go's runtime optimizes scheduled CPU time in smarter ways than the operating system can using lightweight user-space threads called goroutines. Caddy easily handles hundreds of thousands of requests per second.
Goroutines (epoll + kqueue)

Plugin model

Caddy can be extended by compile-time plugins, which compile as native code, in a way that cannot be broken during deployments or by system upgrades. With no IPC or RPC calls, Caddy extensions perform equally well with native code.
Compile-time static

High-level capabilities

Configuration changes

With zero-downtime graceful reloads, Caddy's configuration can be changed while it is running. It's programmable/scriptable for powerful automation.
  • RESTful HTTP API
  • Config files
  • Secure remote access

App modules

Top-level configuration structures are called app modules, or Caddy apps. They provide the bulk of Caddy's functionality. Anyone can write app modules, and Caddy comes with several standard apps built-in.
  • HTTP
  • TLS
  • PKI
  • Events
  • Raw TCP & UDP
  • SSH
  • PHP
  • Dynamic DNS
  • Security
  • Process supervision
  • Profiling

Logs

Caddy's logging can be configured as to format, verbosity, output, and more.
  • Leveled
  • Structured
  • High efficiency, zero-allocation

Storage

Assets and state, including certificates and OCSP staples, are stored in configurable storage backends. In fact, multiple instances of Caddy configured with the same storage are considered part of a cluster and can coordinate automatically.
  • File system
  • Embedded (in-memory)
  • Postgres
  • Redis
  • Vault
  • Consul

Command line interface

Caddy's CLI is not only useful—it's helpful. While most server CLIs merely run the process and reload config, Caddy's CLI goes the extra lightyear to help make administering your modern web server a breeze.

Plugins can register their own subcommands to extend Caddy's CLI.

Command help

If you misspell a command or flag, miss an argument, or don't know the subcommand, help text is automatically printed. You can also access overall command help or subcommand help with caddy help or -h.
Built-in, automatic (man pages can also be generated)

Admin API wrappers

Several subcommands use administration API endpoints for use with the CLI to help you perform common tasks like loading config from files or stopping the server.
  • Adapt config to JSON
  • Start the server, optionally with config
  • Gracefully reload configuration
  • Stop the server

Binary utilities

Since custom builds of Caddy are so common, several commands exist to help you manage and get detailed information about your build.
  • Detailed build metadata
  • List installed config modules
  • List dependencies
  • Add and remove plugin packages
  • Print the version
  • Upgrade the Caddy binary

Configuration utilities

If you choose to use configuration files, Caddy's CLI helps you manage them.
  • Format Caddyfile
  • Validate configuration
  • List dependencies
  • Add and remove plugin packages
  • Print the version

Module utilities

Modules may register their own subcommands to provide common functionality that can be utilized without a config document.
  • Static file server
  • HTTP reverse proxy
  • Static HTTP responses (templateable)
  • Storage import/export (backup/restore)
  • Hash password for use with HTTP basic auth
  • Export file browse template

Integration utilities

Several subcommands can help you integrate Caddy into your shell environment.
  • Generate shell completion script
  • Print the environment
  • Generate man pages
  • Install Caddy-managed root CA into trust stores
  • Remove Caddy-managed root CA from trust stores

System signals

Caddy has support for common operating system signals/interrupts, with subtle differences in behavior for each one.

Signal documentation

  • INT (graceful stop)
  • QUIT
  • TERM

Exit codes

Whether Caddy exits successfully or with an error, the exit code can give a hint to your process supervisor or script how to handle that.

Configuration

We've designed Caddy so that its configuration not only provides access to features, but it IS a feature in and of itself.

No more quibbling over which config file format is the best: use whatever you want! Caddy's config adapters allow you to use whatever config format you prefer.

Native config format

Caddy's native configuration format is ubiquitous: it has tooling in nearly every operating system, platform, programming language, and API ecosystem. Almost all other formats can be translated down into JSON, which balances human readability and programmability. You'll find it a powerful ally of your web server.
JSON

Config adapters

You can always write your config in another format and with config adapters, Caddy will implicitly translate it into JSON for you so you can work with what you like.
  • Caddyfile
  • JSON 5
  • JSON-C
  • NGINX Conf
  • YAML
  • CUE
  • TOML
  • HCL
  • Dhall
  • MySQL

Human-friendly config

The Caddyfile is most users' favorite way to write their web server config by hand because its syntax is forgiving while also being designed with a structure that makes it easy to read and write. It is translated to JSON automatically.
Caddyfile

Export

Caddy's administration API allows you to have runtime access to the current configuration in JSON format with a simple GET request.

Config API

Caddy receives its configuration through an API endpoint, which can accept JSON or any other format it has a config adapter for.

Config files

If you prefer normal commands to manage configuration, Caddy's CLI wraps the API endpoints for you.

HTTP server

Caddy's HTTP server is one-of-a-kind: powerful, extensible, efficient, and modern.

HTTP versions

Caddy's HTTP server supports all major versions of HTTP and enables them by default. You can customize exacttly which versions you want to serve.
  • HTTP/1.1
  • HTTP/2
  • HTTP/2 over cleartext (H2C)
  • HTTP/3

Listen interfaces

Each HTTP server can listen on one or more sockets and network interfaces. For ports, you can specify specific host interface or all interfaces with just a port. All varieties of unix sockets are also supported.
  • TCP
  • UDP
  • Unix sockets

Listener wrappers

Listeners can be wrapped by modules that operate at the connection-accept level.
  • Redirect HTTP on HTTPS port
  • PROXY protocol
  • Tailscale

Timeouts

Setting timeouts is an important defensive measure for production environments, but must be tuned carefully to accommodate legitimate slow clients with large downloads or uploads.
  • Read timeout
  • Read HTTP header timeout
  • Write timeout
  • Idle timeout
  • TCP keepalive interval

Full duplex communication

Concurrent reading and writing of HTTP/1 is not supported by all clients, but can be enabled for certain clients and applications that require it.
  • Configurable for HTTP/1
  • Default for HTTP/2

Reverse proxy

Caddy has the most flexible general-purpose reverse proxy in the world, featuring advanced request and response handling, dynamic routing, health checking, load balancing, circuit breaking, and more.

What makes Caddy's proxy unique is its design. Only the client-facing side of the proxy needs to be HTTP; the transport underlying the roundtrip with the backend can be fulfilled with any protocol!

Moreover, our proxy can be programmed with highly dynamic upstreams. That is, the available upstreams can change during in-flight requests! If no backends are available, Caddy can hold onto the request until one is.

High-level proxy features

Transports

Transports are how Caddy gets the response from the backend. Caddy's proxy can be a front for protocols other than HTTP by using alternate transport modules. This allows Caddy to generate HTTP responses from backends that don't even speak HTTP!
  • HTTP
  • FastCGI
  • NTLM

Load balancing

Selecting upstreams is a crucial function of any modern reverse proxy. Caddy has a variety of built-in load balancing policies to choose from to suit any production services. Some policies are extremely fast and lightweight; others provide upstream affinity based on properties of the client or request; others strive for even distribution by counting connections or using randomness and weights.
  • Random
  • Random Choose-N
  • Least connections
  • Round robin
  • Weighted round robin
  • First available
  • Remote IP hash
  • Client IP hash
  • URI hash
  • Query hash
  • Header hash
  • Cookie hash

Circuit breaking

A circuit breaker module can temporarily mark a backend as down before it actually goes down, to keep it up.
Latency-based

Health checking

Health checks detect when upstreams are unavailable. Passive health checks infer status from actual requests. Active health checks work in the background, out-of-band of client requests.
  • Active
  • Passive

Observability

The admin API exposes an endpoint to retrieve the traffic count and health status of the proxy upstreams.

Upstream sources

Caddy can get the list of upstreams in various ways. The most common is to write them into the configuration (static). Other ways are dynamic, by which a list of upstreams are returned for each request (these utilize configurable caching to enhance performance).
  • Static
  • Dynamic: A records
  • Dynamic: SRV records
  • Dynamic: Multiple sources combined

Streaming

Responses can be streamed directly to the client, or for better wire performance, buffered slightly and flushed periodically.

Trusted proxies

In order to use proxy-related headers like X-Forwarded-For, you can specify a list of IP ranges of proxies you trust. By default Caddy doesn't trust the clients.

Header manipulation

Headers can be modified in the request going up to the backend and the response coming back down from the backend.
  • Add
  • Set (overwrite)
  • Delete
  • Substring replace

Buffering

The proxy can read the entire body before flushing it. This uses more memory but can be required by some backend applications or clients in some cases.
  • Requests
  • Responses

Request rewriting

Rewriting is a different concern from proxying and is normally handled separately, but sometimes you need to rewrite requests using information from the proxy like the chosen upstream. Caddy's proxy lets you do this.

Response interception

By default, Caddy's proxy simply writes responses to the client. However, you can intercept the upstream's response and handle it in other ways. This includes matching only certain responses and invoking a custom handler chain you specify.

Active health checks

Active health checks assume a backend is down by default until that is confirmed otherwise by a health check.

HTTP request parameters

Active health checks are performed against an HTTP endpoint on the upstream. You can customize the parameters for these HTTP requests to work for you.
  • Path & query string
  • Port
  • Headers

Timing

You can customize the interval at which active health checks are performed.

Success criteria

Each active health check can be customized with a set of criteria to determine healthy or unhealthy status.
  • Response timeout
  • HTTP status code
  • Regular expression match on body

Failure safety

Backends that are experiencing bugs and difficulties may sometimes respond with unexpectedly large response bodies. Caddy lets you limit this to preserve proxy resources.
Limit response size

Passive health checks

Passive health checks assume a backend is up by default until failure criteria are met in the course of proxying requests.

Failure criteria

All passive health checks count connection failures. In addition, you can set more criteria needed to deem a backend as healthy during a request.
  • Concurrent request limit exceeded
  • HTTP Status
  • Latency

Failure memory

You can customize how long to remember failures and how many failures need to be in memory to consider a backend to be down.

HTTP transport

This is the default transport module. It crafts a proxied HTTP request to obtain an HTTP response from the backend.

DNS resolvers

The system resolvers are used by default, but you can specify custom DNS resolvers per proxy handler.

TLS

Caddy can be configured to support TLS (formerly known as SSL) to the upstream.
  • Custom root CA pool
  • Client authentication to backend
  • Custom handshake timeout
  • Server Name Indicator (SNI)
  • Renegotiation level
  • Exempt certain ports from TLS

Connection pooling

Connections to backends are pooled for maximum efficiency and minimal latency.
  • HTTP Keep-Alive
  • Custom probe interval
  • Maximum idle connections (total and per-host)
  • Idle connection timeout

Compression

Caddy can compress requests for the roundtrip with the backend.
Gzip

Connection limit

You can limit the number of connections per host.

PROXY Protocol

The PROXY Protocol v1 and v2 are both supported when connecting to upstreams.

Timeouts

Various timeouts can be configured; some have sensible default values.
  • Connection (dial)
  • RFC 6555 fallback
  • Reading response headers
  • Expect continue
  • Read
  • Write

Custom buffer sizes

Tune the size of read/write buffers if you find that your application performs better with certain settings.
  • Read buffers
  • Write buffers

HTTP versions

Caddy's proxy supports multiple HTTP versions with the backend. By default, HTTP/1.1 and HTTP/2 are supported.
  • HTTP/1.1
  • HTTP/2
  • H2C (HTTP/2 over cleartext)

Static file server

Caddy's file server is the preferred way of serving static files for your website.

The way it works is simple: specify a root directory from which to serve the files, then request paths are automatically inferred as file paths relative to that root and the file is sent to the client.

TODO...

TODO...
TODO...
{{include "/includes/footer.html"}}