Secure by Default
Caddy is the only web server that uses HTTPS by default. A hardened TLS stack with modern protocols preserves privacy and exposes MITM attacks.
a
project
project
Caddy simplifies your infrastructure. It takes care of TLS certificate renewals, OCSP stapling, static file serving, reverse proxying, Kubernetes ingress, and more.
Its modular architecture means you can do more with a single, static binary that compiles for any platform.
Caddy runs great in containers because it has no dependencies—not even libc. Run Caddy practically anywhere.
Caddy is the only web server to use HTTPS automatically and by default.
Caddy obtains and renews TLS certificates for your sites automatically. It even staples OCSP responses. Its novel certificate management features are the most mature and reliable in its class.
Written in Go, Caddy offers greater memory safety than servers written in C. A hardened TLS stack powered by the Go standard library serves a significant portion of all Internet traffic.
Ardan Labs is the trusted partner of the Caddy Web Server open source project, providing enterprise-grade support to our clients.
Together, we consult and train, as well as develop, install, and maintain Caddy and its plugins to ensure your infrastructure runs smoothly and efficiently. Contact us to get started!
Caddy is both a flexible, efficient static file server and a powerful, scalable reverse proxy.
Use it to serve your static site with compression, template evaluation, Markdown rendering, and more.
Or use it as a dynamic reverse proxy to any number of backends, complete with active and passive health checks, load balancing, circuit breaking, caching, and more.
$ caddy file-server
$ caddy file-server --domain example.com
$ caddy reverse-proxy --from example.com --to localhost:9000
$ caddy run
localhost
templates
file_server
example.com # Your site's domain name
# Load balance between three backends with custom health checks
reverse_proxy 10.0.0.1:9000 10.0.0.2:9000 10.0.0.3:9000 {
lb_policy random_choose 2
health_path /ok
health_interval 10s
}
example.com
# Templates give static sites some dynamic features
templates
# Compress responses according to Accept-Encoding headers
encode gzip zstd
# Make HTML file extension optional
try_files {path}.html {path}
# Send API requests to backend
reverse_proxy /api/* localhost:9005
# Serve everything else from the file system
file_server
POST /config/
{
"apps": {
"http": {
"servers": {
"example": {
"listen": ["127.0.0.1:2080"],
"routes": [{
"@id": "demo",
"handle": [{
"handler": "file_server",
"browse": {}
}]
}]
}
}
}
}
}
GET /config/
PUT /id/demo/handle/0
{"handler": "templates"}
Caddy is the only web server that uses HTTPS by default. A hardened TLS stack with modern protocols preserves privacy and exposes MITM attacks.
As its primary mode of configuration, Caddy's REST API makes it easy to automate and integrate with your apps.
Because Caddy is written in Go, its binaries are entirely self-contained and run on every platform, including containers without libc.
Take back control over your compute edge. Caddy can be extended with everything you need using plugins.
Caddy 2 was boldly engineered to simplify your infrastructure and give you control over the edge of your compute platform.
Caddy can embed any Go application as a plugin, and has first-class support for plugins of plugins.
Global state is common in servers, but tends to be error-prone and a bottleneck, so Caddy 2 uses a novel design that limits global state.
For all its features, Caddy runs lightly and efficiently with relatively low memory footprint and high throughput.
When the going gets tough, Caddy gets going on more CPUs. Go's scheduler understands Go code, and goroutines are more lightweight than system threads.
Caddy is a single executable file with no dependencies, not even libc. Literally just needs some metal and a kernel. Put Caddy in your PATH and run it. Done.
Caddy runs on Windows, macOS, Linux, BSD, Android, Solaris, 32-bit, amd64, ARM, aarch64, mips64... almost anything to which Go compiles.
Caddy's native config format is JSON, so it is familiar and highly interoperable with existing systems and tools.
Caddy's configuration is received through a REST endpoint as a single JSON document, making it highly programmable.
You can use config files with Caddy's CLI, which converts them to API requests for you under the hood.
Bring your own config! Config adapters translate various config formats (Caddyfile, TOML, NGINX, etc.) into Caddy's native JSON.
An easy, intuitive way to configure your site. It's not scripting, and not hard to memorize. Rolls off the fingers. You'll really like it.
All configuration is contained within a single JSON document so there are fewer hidden factors affecting your config.
When you have just small changes to make, Caddy's API lets you update just the relevant parts of its config.
Caddy's native JSON exposes the actual fields allocated in memory by the running server to give you more control.
You can export a live copy of Caddy's current configuration with a GET request to its API.
Config updates are finely tuned for efficiency so you can reload config dozens of times per second.
Config changes take effect without downtime or closing sockets—even on Windows.
You can use Caddy's CLI to preview and validate configurations before applying them.
An easy, intuitive way to configure your site. It's not scripting, and not hard to memorize. Rolls off the fingers. You'll really like it.
By default, Caddy will serve static files in the current working directory. It's so brilliantly simple and works fast.
Caddy can also be used to serve dynamic sites with templates, proxying, FastCGI, and by the use of plugins.
Customize how Caddy runs with its simple, cross-platform command line interface; especially great for quick, one-off server instances.
Caddy can be extended with plugins. All apps, Caddyfile directives, HTTP handlers, and other features are plugins! They're easy to write and get compiled in directly.
When the going gets tough, Caddy gets going on more CPUs. Go's scheduler understands Go code, and goroutines are more lightweight than system threads. So yeah, it's fast.
Writing another program or web service that could use a powerful web server or reverse proxy? Caddy can be used like a library in your Go program.
Caddy can parse and verify your Caddyfile without actually running it.
Caddy can write a log of all its significant events, especially errors. Log to a file, stdout/stderr, or a local or remote system log!
When log files get large, Caddy will automatically rotate them to conserve disk space.
Caddy's flagship features are security and privacy. Caddy is the first and only web server to enable HTTPS automatically and by default.
TLS 1.3 is the newest standard for transport security, which is faster and more secure than its predecessors.
Caddy uses the best crypto technologies including AES-GCM, ChaCha, and ECC by default, balancing security and compatibility. You can customize which ciphers are allowed.
Caddy is the only web server in its class that is impervious to bugs like Heartbleed and buffer overflows because it is written in the memory-safe language of Go.
With TLS client auth, you can configure Caddy to allow only certain clients to connect to your service.
Caddy is proudly written in Go, and its TLS stack is powered by the robust crypto/tls package in the Go standard library, trusted by the world's largest content distributors.
Companies choose Caddy because its TLS configuration is PCI-compliant by default. It has even saved some companies hours before losing certification!
TLS assets are stored on disk, but the storage mechanism can be swapped out for custom implementations so you can deploy and coordinate a fleet of Caddy instances.
Caddy is cited as the only web server to rotate TLS session ticket keys by default. This helps preserve forward secrecy, i.e. visitor privacy.
Caddy uses the TLS extension Server Name Indication (SNI) to be able to host multiple sites on a single interface. Like most features, this just works.
Caddy's automatic HTTPS feature includes redirecting HTTP to HTTPS for you by default.
Caddy obtains certificates for you automatically using Let's Encrypt. Any ACME-compatible CA can be used. Caddy was the first web server to implement this technology.
Never deal with certificates again! Certificates are automatically renewed in the background before they get close to expiring.
Caddy is the only web server that can obtain certificates during a TLS handshake and use it right away.
If you still prefer to manage certificates yourself, you can give Caddy your certificate and key files (PEM format) like you're used to.
If you manage many certificates yourself, you can give Caddy an entire folder to load certificates from.
For easy local development and testing, Caddy can generate and manage self-signed certificates for you without any hassle.
Caddy fully accepts SAN certificates for times when you may be managing your own SAN certificates and wish to use those instead.
Caddy can share managed certificates stored on disk with other instances and synchronize renewals in fleet deployments.
Caddy's certificate management scales well up to tens of thousands of sites and tens of thousands of certificates per instance.
When needed, Caddy can obtain and renew wildcard certificates for you when you have many related subdomains to serve.
Caddy staples OCSP responses to every qualifying certificate by default. Caddy's OCSP stapling is more robust against network failure than other web servers.
Every OCSP response is cached on disk to preserve integrity through restarts, in case the responder goes down or the network link is being attacked.
Caddy can be configured to obtain Must-Staple certificates, which requires that certificate to always have the OCSP response stapled.
Unlike other web servers, Caddy updates OCSP responses in the background, asynchronously of any requests, well before their expiration.
An OCSP response will not be stapled unless it checks out for validity first, to make sure it's something clients will accept.
If a managed certificate is discovered by OCSP to be revoked, Caddy will automatically try to replace the certificate.
Caddy can solve the HTTP challenge to obtain certificates. You can also configure Caddy to proxy these challenges to other processes.
Caddy solves the TLS-ALPN challenge which happens on port 443 and does not require opening port 80 at all.
Caddy coordinates the obtaining and renewing of certificates in cluster configurations for both HTTP and TLS-ALPN challenges!
Caddy solves the DNS challenge which does not involve opening any ports on the machine. There are integrations for all major DNS providers!
If one of your private keys becomes compromised, you can use Caddy to easily revoke the affected certificates.
Caddy is designed to be used with any ACME-compatible certificate authority, which you can customize with a single command line flag.
Caddy is the only web server and only major ACME client that was not disrupted by CA changes and outages, or OCSP responder hiccups.
Caddy's HTTP server has a wide array of modern features, high performance, and is easy to deploy.
List files and folders with Caddy's attractive, practical design or according to your own custom template.
Serve multiple sites from the same IP address with the Caddyfile.
You can select which network interfaces to which you bind the listener, giving you more access control over your site.
Let Caddy render your Markdown files as HTML on-the-fly. You can embed your Markdown in a template and parse out front matter.
A powerful and improved alternative to Server-Side Includes, templates allow you to make semi-dynamic sites quickly and easily.
Show user-friendly error pages when things go wrong, or write the error details to the browser for dev environments.
Caddy takes copious notes according to your favorite log format. Log errors and requests to a file, stdout/stderr, or a local or remote system log.
You can limit the size of request bodies that go through Caddy to prevent abuse of your network bandwidth.
Enabling timeouts can be a good idea when your server may be prone to slowloris attacks or you want to free up resources from slow networks.
Still commonly used in plaintext, development, and debug environments, Caddy has solid support for HTTP/1.1.
It's time for a faster web. Caddy uses HTTP/2 right out of the box. No thought required. HTTP/1.1 is still used when clients don't support HTTP/2.
With the IETF-standard-draft version of QUIC, sites load faster and connections aren't dropped when switching networks.
Caddy supports making WebSocket connections directly to local programs' stdin/stdout streams that work a little bit like CGI.
Caddy supports both IPv4 and IPv6. In fact, Caddy runs full well in an IPv6 environment without extra configuration.
Serve your PHP site behind Caddy securely with just one simple line of configuration. You can even specify multiple backends.
Protect areas of your site with HTTP basic auth. It's simple to use and secure over HTTPS for most purposes.
Caddy can issue HTTP redirects with any 3xx status code, including redirects using <meta> tags if you prefer.
Customize the response headers so that some headers are removed or others are added.
Caddy can act as a reverse proxy for HTTP requests. You can also proxy transparently (preserve the original Host header) with one line of config.
Proxy to multiple backends using a load balancing policy of your choice: random, least connections, round robin, IP hash, or header.
Caddy is frequently used as a TLS terminator because of its powerful TLS features.
Caddy's proxy middleware is capable of proxying websocket connections to backends as well.
Caddy marks backends in trouble as unhealthy, and you can configure health check paths, intervals, and timeouts for optimal performance.
When a request to a backend fails to connect, Caddy will try the request with other backends until one that is online accepts the connection.
By default, most headers will be carried through, but you can control which headers flow upstream and downstream.
Proxy to arbitrary backends based on request parameters such as parts of the domain name or header values.
Elegantly serve files without needing the extension present in the URL. These look nicer to visitors and are easy to configure.
Caddy has powerful request URI rewriting capabilities that support regular expressions, conditionals, and dynamic values.
Send a certain status code for certain requests.
Compress content on-the-fly using gzip, Zstandard, or brotli.