Sign in Subscribe
By Sahil Kapoor -

Caddy

A modern web server and reverse proxy written in Go that provisions and renews TLS certificates automatically — the simplest path to HTTPS for self-hosted services.

Caddy is an open-source web server built with a single design priority: automatic HTTPS. By default, Caddy obtains TLS certificates from Let's Encrypt (or ZeroSSL), renews them automatically, and serves your content over HTTPS without any manual certificate management. Its configuration language (Caddyfile) is designed to be human-readable.

Caddyfile Syntax

example.com {
    reverse_proxy localhost:3000
}

api.example.com {
    reverse_proxy localhost:8080
    rate_limit {
        zone dynamic {
            key {remote_host}
            events 100
            window 1m
        }
    }
}

This config: serves two hostnames, proxies to local services, enforces rate limiting, and handles TLS automatically. Caddy starts with this config and immediately requests certificates if they don't exist.

Key Features

  • Automatic HTTPS — default for all sites with a public domain; handles ACME challenges, renewal, OCSP stapling
  • HTTP/2 and HTTP/3 — enabled by default
  • Caddyfile and JSON API — simple declarative config or dynamic JSON API for programmatic control
  • Module system — extend with plugins (DNS providers, middleware, auth)
  • Zero-downtime reloadscaddy reload applies config changes without dropping connections

Caddy vs Nginx

  • TLS management — Caddy automates it; Nginx requires certbot + cron
  • Config simplicity — Caddyfile is concise; nginx.conf is verbose
  • Performance — Nginx has higher raw throughput for static files at scale; Caddy is fast enough for most workloads
  • Ecosystem — Nginx has decades of modules and guides; Caddy is newer but growing fast

Caddy vs Traefik

Traefik is optimized for dynamic environments (Kubernetes, Docker Swarm) where services start and stop frequently. Caddy is optimized for static or semi-static deployments where you define services upfront. Caddy has a simpler mental model; Traefik has richer auto-discovery.

Docker Setup

version: "3.9"
services:
  caddy:
    image: caddy:latest
    ports: ["80:80", "443:443"]
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
  • Traefik — alternative with better Kubernetes/Docker dynamic discovery
  • Cloudflare Tunnel — pair with Caddy for HTTPS without open ports
  • Docker — standard deployment environment for Caddy
  • Tailscale — Caddy serves the internal network that Tailscale creates

Subscribe to Sahil's Playbook

Clear thinking on product, engineering, and building at scale. No noise. One email when there's something worth sharing.
[email protected]
Subscribe
Mastodon