Caddy – The Ultimate Server with Automatic HTTPS

Original Article ↗ Hacker News Discussion ↗

Positioning vs Other Servers

  • Seen largely as a standalone replacement for Nginx/Apache rather than a complement.
  • Many users migrated all Nginx hosts or homelab setups to Caddy, citing easier HTTPS and simpler configs.
  • Others stick with Nginx/Traefik, saying once cert automation is solved, benefits over Nginx shrink.
  • Traefik is often preferred in container-heavy / Kubernetes setups; Caddy preferred for simpler VPS/homelab deployments.

Automatic HTTPS & TLS / Local Development

  • Automatic certificate issuance/renewal is the headline feature; people report replacing years of Nginx+Certbot work in minutes.
  • Used heavily for:
    • Local HTTPS and HTTP/2 testing (e.g. fronting dev servers, Vite, long-polling APIs).
    • On-demand TLS for user subdomains and custom domains.
  • Debate over “game changer” status:
    • Objection: needs public 80/443 or root CA installation for local-only use.
    • Counter: DNS-01 challenges, local DNS/hosts, wildcard certs, and tools like Localias or traefik.me mitigate this.

Configuration Experience

  • Strong praise for:
    • Minimal Caddyfile configs (“three lines for HTTPS site”).
    • Good defaults, easy reverse proxying, and quick setup.
  • Pain points:
    • JSON config is verbose and hard to reason about; mixing Caddyfile vs JSON vs REST API can confuse newcomers.
    • Docs sometimes assume plugins or systemd, leading to surprises on minimal systems or distro packages.
    • Some users gave up after struggling with path rewrites, logging, or reverse proxy edge cases.

Ecosystem & Features

  • Popular extensions and patterns:
    • FrankenPHP (Caddy+PHP), caddy-docker-proxy (Docker labels-based routing), L4 plugin (TCP proxying), CertMagic library.
    • Used behind Vaultwarden, Mattermost, AI model APIs, and multi-tenant “unlimited domains” platforms.
  • Admin API for dynamic, zero-downtime config changes is highlighted as a key differentiator.
  • Static, modular binary model is praised for deployment simplicity, but lack of dynamic modules means building custom binaries for extras (e.g. DNS providers, rate limiting).

Critiques, Trust, and Alternatives

  • Landing page and marketing tone turn some people off; they worry about over-claiming and under-documenting tradeoffs.
  • Others argue the page is in line with normal product marketing and the software is mature and widely trusted.
  • Missing or non-core features (built‑in OIDC, rate limiting, some logging behaviors) push some toward Nginx+oauth2‑proxy, Traefik, or alternatives like h2o or lighttpd.