How Caddy’s Automatic HTTPS Implementation Reinvents Web Servers and Boosts Security With a Simple Configuration

TL; DR: Standardizing what many consider a basic web security measure, Caddy is the first and only web server to automatically and by default deliver production websites over HTTPS. Co-Founders Matt Holt and Cory Cooper revitalized the relatively stagnant web server market with Caddy’s debut in 2015, just one day after the public beta of the Let’s Encrypt initiative. The open-source web server is free for personal use, and Caddy is available to startups and other commercial organizations at affordable, growth-friendly rates. With Caddy, site developers can enjoy a simplified setup and configuration process that maximizes implementation and infrastructure efficiency.

For many years, choosing a web server has largely been a binary decision. Apache and NGINX currently combine to power more than 85% of websites, with solutions from Microsoft, LiteSpeed, and Google trailing far behind. No major competitor has truly threatened the well-established Apache and NGINX systems, despite the foundational code and technologies tracing their roots back at least a decade.

In the years since NGINX brought about the last web server revolution, however, the amount of information — and the number of threats — on the internet has exploded. Web security has become a major component of both business and personal online presences, with HTTP/2 and SSL certificates (more appropriately named TLS certificates) rapidly gaining traction among experienced developers and first-time site owners.

Instead of turning toward the Apache or NGINX mainstays — which don’t natively support the enhanced security protocols — many forward-thinking site administrators are turning to Caddy, an emerging open-source web server that blends robust security and supreme usability.

Launched in 2015, Caddy automatically configures security settings so website data is delivered through secure connections by default. The platform, which systematically obtains and renews TLS certificates, has already been downloaded more than 1 million times and has received nearly 20,000 stars on GitHub.

“Caddy set the standard, and rose to meet the expectation, for all websites to be served over secure HTTPS connections,” said Matt Holt, who authored the project and co-founded Light Code Labs with Cory Cooper to oversee Caddy development and support. “Amazingly, several years later, it’s still the only web server to do this.”

Somewhat shockingly, neither Apache nor NGINX natively supports the enhanced HTTPS, TLS, or HTTP/2 protocols. Site administrators must instead rely on the OpenSSL software library, which slows down web servers and has fallen victim to several security vulnerabilities over the years — most notably, 2014’s catastrophic Heartbleed bug that exposed roughly 17% or about 500,000 of the internet’s secure web servers.

As a college student struggling through his hardest semester, Matt wrote code as a hobby and a way to relax. After creating a workable product that replaced his need for Apache or NGINX, he brought it to the open-source community for feedback, brainstorming, and development contributions.

The timing was auspicious, as the Let’s Encrypt certificate authority had just launched its free, automated, and open TLS encryption services. By eliminating hassles around payment, configuration, validation, and renewal, the Let’s Encrypt project aims to make secure connections to web servers the norm and significantly reduce the complexity of TLS adoption.

Caddy’s growth surged, and Matt and Cory created the business systems needed to continue development and support businesses using their web server.

“We found out that several companies were using single instances of Caddy to serve tens of thousands of sites over HTTPS, and Caddy purrs like a kitten under those conditions,” Matt said. “Now, Caddy supports the management of thousands of TLS certificates in cluster or fleet configurations, as well.”

Caddy’s balance of user-friendly simplicity and robust security make the web server a flexible tool with wide-ranging implementation possibilities. For example, Caddy commonly fronts web applications when used as a reverse proxy for its “automatic HTTPS magic,” as Matt put it.

Because Caddy is written in Go, it works nearly the same on every architecture and operating system, including Windows, macOS, Linux, BSD, Solaris, and Android. The self-contained web server avoids external dependencies and libraries, meaning Caddy even runs in containers and serverless infrastructures such as Amazon Web Services Lambda and Netlify.

“On the surface, it makes sense: people want less infrastructure to manage,” Matt said. “But serverless services still use web servers, and someone has got to manage them. Caddy just happens to make it easier most of the time. The best HTTPS configuration is none at all.”

Caddy serves static files by default, but can also be used to serve dynamic sites with templates, proxying, FastCGI, and via plugins. Its flexible and extensible functionality makes common tasks, like integrating with PHP, deploying a website with git push commands, and serving URLs without file extensions, much simpler than do Apache and NGINX.

According to Matt, the Caddy web server platform is similarly poised to support developers and open-source communities by fighting against rigid web application services that abstract away from web servers and other lower-level software.

“Several megacorp services promote these benefits while increasing centralization and vendor lock-in,” he said. “Caddy, on the other hand, bucks this trend by offering a complete web server software solution to help detach from specific vendors and dependencies. Ultimately, using Caddy is a freeing experience, rather than a restricting one.”

By the end of 2018, Let’s Encrypt has helped protect more than 150 million websites, and the rate of encrypted page loads rose to 77%, up from 67% in 2017.

With search engines and web browsers continuing to penalize unsecured sites and consumers becoming increasingly aware of the need for online privacy and security, Caddy’s painless HTTPS configuration is an innovative tool in the push to protect web traffic.

“It just works,” Matt said. “Caddy is the only server to automatically deliver correct HTTPS by default, without requiring any explicit configuration to enable and tune HTTPS.”

To get started, users need only to create a Caddyfile text document to configure the server, whether it’s for HTTP, DNS, or other uses. Caddyfiles are designed to be extraordinarily intuitive and easy to type, with no scripting or inheritance.

“The Caddyfile syntax is unlike existing config file formats like JSON or YAML, in that it’s designed for easy typing,” Matt said. “There are no complex features, and whitespace is mostly unimportant, with the exception of new lines.”

In addition to Caddy’s growing plugin ecosystem and extensibility, the server also takes care of advanced technical processes out of the box. For instance, Matt said Caddy staples OCSP responses (the process for verifying a TLS certificate’s active status) more correctly and robustly than other major web servers.

“It improves not only performance and privacy for website visitors, but it also leads to greater website uptime and availability,” Matt said. “Caddy also rotates TLS session ticket keys every so often, which helps to preserve the secrecy of encrypted communications even in the event of a key compromise.”

As an open-source project, Caddy is available for free for personal use. However, the project also serves three types of business customers: Startups with five or fewer employees can use unlimited commercial licenses and host private plugins with a discounted Startup Package, while small to medium-sized businesses can choose to sponsor or purchase licenses. Caddy leaders will work with enterprise companies to create custom solutions to bring the peace of mind of added support, though Matt said the extended help is rarely needed and not as popular as they expected.

“From talking to our users, we believe this might be the case because Caddy is already easy to use,” he said. “Once you have the right configuration for the Caddyfile, there’s not much else to support. Larger clients already know what they’re doing and might have been using Caddy for a while when they decided to go official with our licensed binaries. When they do need help, a quick email exchange or a search in the community forum seem to solve everyone’s issues.”

In addition to recently launching the Caddy AMI, or Amazon Machine Image, to streamline the integration and launch of AWS instances, the Caddy team continues to forge ahead on frequent releases and updates.

Version 0.11, released in May 2018, introduces integrated telemetry that enables users to check on server status and examine information about a client’s technical demographics. Eventually, Matt said he hopes the system will provide insights and data beyond what logging or external monitoring systems typically deliver.

“We’re looking forward to moving Caddy to Version 1.0 in the near future,” he said. “It’s been a long time coming, but we believe that it has matured nicely.”