sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

dnf install 'dnf-command(copr)'
dnf copr enable @caddy/caddy
dnf install caddy

pacman -Syu caddy

brew install caddy

Chocolatey:

choco install caddy

Scoop:

scoop install caddy

- Package name: [`caddy`](https://search.nixos.org/packages?channel=unstable&show=caddy&query=caddy) - NixOS module: [`services.caddy`](https://search.nixos.org/options?channel=unstable&show=services.caddy.enable&query=services.caddy)

In Termux:

pkg install caddy

Webi

Linux and macOS:

curl -sS https://webi.sh/caddy | sh

Windows:

curl.exe https://webi.ms/caddy | powershell

Ansible

ansible-galaxy install nvjacobo.caddy

docker pull caddy

Make sure to have `git` and the latest version of [Go](https://go.dev) installed.

git clone "https://github.com/caddyserver/caddy.git"
cd caddy/cmd/caddy/
go build

[`xcaddy`](https://github.com/caddyserver/xcaddy) is a command line tool that helps you build Caddy with plugins. A basic build looks like:

xcaddy build

To build with plugins, use `--with`:

xcaddy build \
	--with github.com/caddyserver/nginx-adapter
	--with github.com/caddyserver/ntlm-transport@v0.1.1

1. Obtain a Caddy binary: - [from releases on GitHub](https://github.com/caddyserver/caddy/releases) (expand "Assets") - Refer to [Verifying Asset Signatures](/docs/signature-verification) for how to verify the asset signature - [from our download page](/download) - [by building from source](/docs/build) (either with `go` or `xcaddy`) 2. [Install Caddy as a system service.](/docs/running#manual-installation) This is strongly recommended, especially for production servers. Place the binary in one of your `$PATH` (or `%PATH%` on Windows) directories so you can run `caddy` without typing the full path of the executable file. (Run `echo $PATH` to see the list of directories that qualify.) You can upgrade static binaries by replacing them with newer versions and restarting Caddy. The [`caddy upgrade` command](/docs/command-line#caddy-upgrade) can make this easy.

On-demand TLS is designed for situations when you either don't control the domain names, or you have too many certificates to load all at once when the server starts. For every other use case, standard TLS automation is likely better suited.

In order to prevent abuse, you must first configure an `ask` endpoint so Caddy can check whether it should get a certificate. Add this to your global options at the top: ```caddy { on_demand_tls { ask http://localhost:5555/check } } ``` Change that endpoint to be something you've set up that will respond with HTTP 200 if the domain given in the `domain=` query parameter is allowed to have a certificate. Then create a site block that serves all sites/hosts on the TLS port: ```caddy https:// { tls { on_demand } } ``` This is the minimum config to enable Caddy to accept and service TLS connections for arbitrary hosts. This config doesn't invoke any handlers. Usually you'll also [`reverse_proxy`](/docs/caddyfile/directives/reverse_proxy) to your backend application.