What is Caddy — Fast Web Server with Automatic HTTPS?

Caddy is a modern web server with automatic HTTPS by default. Zero-config TLS certificates, reverse proxy, file server, and load balancer — all in a single binary.

Is Caddy — Fast Web Server with Automatic HTTPS free to use?

Yes. Caddy — Fast Web Server with Automatic HTTPS is freely available on TokRepo. Check the Source & Thanks section on the asset page for the specific open-source license.

How do I install Caddy — Fast Web Server with Automatic HTTPS?

Visit the asset page on TokRepo and click "Copy for agent" to get the installation instructions. Most assets can be installed with a single command.

Caddy — Fast Web Server with Automatic HTTPS

What Caddy Does

Automatic HTTPS: Obtains, renews, and manages TLS certificates automatically — zero config
Reverse Proxy: Forward requests to backend services with load balancing and health checks
File Server: Serve static files with directory listing, compression, and caching
HTTP/3: Native QUIC/HTTP/3 support for faster connections
Virtual Hosts: Host multiple sites on one server with per-site configuration
API Configuration: RESTful API for dynamic config changes without restart
Extensible: Plugin system for custom modules (auth, caching, WAF, etc.)

Caddyfile Examples

Simple Static Site

yourdomain.com {
    root * /var/www/html
    file_server
}

That's it. Caddy automatically:

Gets a TLS certificate from Let's Encrypt
Redirects HTTP to HTTPS
Serves files from /var/www/html
Handles certificate renewal

Reverse Proxy

app.yourdomain.com {
    reverse_proxy localhost:3000
}

api.yourdomain.com {
    reverse_proxy localhost:8080
}

grafana.yourdomain.com {
    reverse_proxy localhost:3001
}

With Middleware

yourdomain.com {
    # Compression
    encode gzip zstd

    # Security headers
    header {
        X-Frame-Options DENY
        X-Content-Type-Options nosniff
        Referrer-Policy strict-origin-when-cross-origin
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
    }

    # Basic auth for /admin
    basicauth /admin/* {
        admin $2a$14$...hashed-password...
    }

    # Reverse proxy with load balancing
    reverse_proxy /api/* {
        to localhost:8001
        to localhost:8002
        to localhost:8003
        lb_policy round_robin
        health_uri /health
        health_interval 10s
    }

    # Static files
    root * /var/www/html
    file_server
}

Self-Hosting

Docker Compose

services:
  caddy:
    image: caddy:latest
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"  # HTTP/3
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy-data:/data
      - caddy-config:/config
    restart: unless-stopped

volumes:
  caddy-data:
  caddy-config:

Single Binary

# Download
curl -sS https://getcaddy.com | bash

# Run with Caddyfile
caddy run --config /etc/caddy/Caddyfile

# Or as systemd service
sudo caddy start --config /etc/caddy/Caddyfile

Key Features

Automatic Certificate Management

Caddy handles the entire TLS lifecycle:

1. You specify a domain name in Caddyfile
2. Caddy checks if it has a valid certificate
3. If not, it contacts Let's Encrypt (ACME protocol)
4. Obtains certificate via HTTP-01 or TLS-ALPN-01 challenge
5. Installs certificate and starts serving HTTPS
6. Renews certificate before expiration (every ~60 days)
7. Zero downtime during renewal

Also supports:

ZeroSSL (alternative to Let's Encrypt)
Custom CA certificates
Self-signed certificates for development
Wildcard certificates via DNS challenge

JSON API

Caddy can be configured entirely via REST API:

# Get current config
curl localhost:2019/config/

# Add a new site
curl -X POST localhost:2019/config/apps/http/servers/myserver 
  -H "Content-Type: application/json" 
  -d '{"listen": [":443"], "routes": [{"handle": [{"handler": "reverse_proxy", "upstreams": [{"dial": "localhost:3000"}]}]}]}'

On-Demand TLS

Automatically get certificates for any domain that connects:

{
    on_demand_tls {
        ask http://localhost:5555/check  # Verify domain is allowed
    }
}

https:// {
    tls {
        on_demand
    }
    reverse_proxy localhost:8080
}

Caddy vs Alternatives

Feature	Caddy	Nginx	Traefik	Apache
Auto HTTPS	Default	Certbot	Let's Encrypt	Certbot
Config	Caddyfile	nginx.conf	Labels/YAML	.htaccess
HTTP/3	Yes	Experimental	Yes	No
Hot reload	Yes	Signal	Yes	Graceful
Single binary	Yes	Package	Yes	Package
Memory	~20MB	~5MB	~50MB	~30MB
Plugins	Go modules	C modules	Go plugins	C modules

FAQ

Q: Is there a big performance gap between Caddy and Nginx? A: For most use cases, the difference is negligible. Nginx has a slight edge under very high concurrency (100K+ connections). Caddy's Go implementation performs well at moderate load, and the operational savings from automatic HTTPS and simpler configuration usually outweigh any performance delta.

Q: Is it production-ready? A: Absolutely. Caddy is used in production by many companies and projects. Its secure defaults (HTTPS, security headers, modern TLS) make production deployment safer than hand-configuring Nginx + Certbot.

Q: How do I handle HTTPS for multiple domains? A: List each domain in your Caddyfile — Caddy automatically obtains a separate certificate per domain. Wildcard certificates are also supported (requires DNS challenge).