What Caddy Does
- Automatic HTTPS: Obtains, renews, and manages TLS certificates automatically — zero config
- Reverse Proxy: Forward requests to backend services with load balancing and health checks
- File Server: Serve static files with directory listing, compression, and caching
- HTTP/3: Native QUIC/HTTP/3 support for faster connections
- Virtual Hosts: Host multiple sites on one server with per-site configuration
- API Configuration: RESTful API for dynamic config changes without restart
- Extensible: Plugin system for custom modules (auth, caching, WAF, etc.)
Caddyfile Examples
Simple Static Site
yourdomain.com {
root * /var/www/html
file_server
}That's it. Caddy automatically:
- Gets a TLS certificate from Let's Encrypt
- Redirects HTTP to HTTPS
- Serves files from /var/www/html
- Handles certificate renewal
Reverse Proxy
app.yourdomain.com {
reverse_proxy localhost:3000
}
api.yourdomain.com {
reverse_proxy localhost:8080
}
grafana.yourdomain.com {
reverse_proxy localhost:3001
}With Middleware
yourdomain.com {
# Compression
encode gzip zstd
# Security headers
header {
X-Frame-Options DENY
X-Content-Type-Options nosniff
Referrer-Policy strict-origin-when-cross-origin
Strict-Transport-Security "max-age=31536000; includeSubDomains"
}
# Basic auth for /admin
basicauth /admin/* {
admin $2a$14$...hashed-password...
}
# Reverse proxy with load balancing
reverse_proxy /api/* {
to localhost:8001
to localhost:8002
to localhost:8003
lb_policy round_robin
health_uri /health
health_interval 10s
}
# Static files
root * /var/www/html
file_server
}Self-Hosting
Docker Compose
services:
caddy:
image: caddy:latest
ports:
- "80:80"
- "443:443"
- "443:443/udp" # HTTP/3
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- caddy-data:/data
- caddy-config:/config
restart: unless-stopped
volumes:
caddy-data:
caddy-config:Single Binary
# Download
curl -sS https://getcaddy.com | bash
# Run with Caddyfile
caddy run --config /etc/caddy/Caddyfile
# Or as systemd service
sudo caddy start --config /etc/caddy/CaddyfileKey Features
Automatic Certificate Management
Caddy handles the entire TLS lifecycle:
1. You specify a domain name in Caddyfile
2. Caddy checks if it has a valid certificate
3. If not, it contacts Let's Encrypt (ACME protocol)
4. Obtains certificate via HTTP-01 or TLS-ALPN-01 challenge
5. Installs certificate and starts serving HTTPS
6. Renews certificate before expiration (every ~60 days)
7. Zero downtime during renewalAlso supports:
- ZeroSSL (alternative to Let's Encrypt)
- Custom CA certificates
- Self-signed certificates for development
- Wildcard certificates via DNS challenge
JSON API
Caddy can be configured entirely via REST API:
# Get current config
curl localhost:2019/config/
# Add a new site
curl -X POST localhost:2019/config/apps/http/servers/myserver
-H "Content-Type: application/json"
-d '{"listen": [":443"], "routes": [{"handle": [{"handler": "reverse_proxy", "upstreams": [{"dial": "localhost:3000"}]}]}]}'On-Demand TLS
Automatically get certificates for any domain that connects:
{
on_demand_tls {
ask http://localhost:5555/check # Verify domain is allowed
}
}
https:// {
tls {
on_demand
}
reverse_proxy localhost:8080
}Caddy vs Alternatives
| Feature | Caddy | Nginx | Traefik | Apache |
|---|---|---|---|---|
| Auto HTTPS | Default | Certbot | Let's Encrypt | Certbot |
| Config | Caddyfile | nginx.conf | Labels/YAML | .htaccess |
| HTTP/3 | Yes | Experimental | Yes | No |
| Hot reload | Yes | Signal | Yes | Graceful |
| Single binary | Yes | Package | Yes | Package |
| Memory | ~20MB | ~5MB | ~50MB | ~30MB |
| Plugins | Go modules | C modules | Go plugins | C modules |
常见问题
Q: Caddy 和 Nginx 性能差距大吗? A: 对于大多数使用场景,差距可以忽略。Nginx 在超高并发(10万+ 连接)场景下有轻微优势。Caddy 的 Go 实现在中等负载下性能优秀,而自动 HTTPS 和简洁配置带来的运维效率提升远超性能差异。
Q: 可以在生产环境用吗? A: 完全可以。Caddy 被大量公司和项目用于生产环境。其默认安全配置(HTTPS、安全头、现代 TLS)使得生产部署比手动配置 Nginx + Certbot 更安全。
Q: 如何处理多个域名的 HTTPS? A: 在 Caddyfile 中列出每个域名即可,Caddy 会为每个域名自动获取独立证书。也支持通配符证书(需要 DNS 挑战)。
来源与致谢
- GitHub: caddyserver/caddy — 71.4K+ ⭐ | Apache-2.0
- 官网: caddyserver.com