This seems too straightforward, what’s the catch?
Like how secure is it? Should I be turning it off (and disabling the port forwarding) when not using it?
Do I need any additional security? Mainly just want to use it for Jellyfin
Thanks
It just runs… Two years straight. Some more services since start of caddy… No worries.
Recently added auth with authelia… Still straight forward.
Easy setup, always online. That’s it. Period.
The documentation it’s surprisingly bad at explaining common patterns of use.
It is also a bit thicker compared to nginx or HAproxy.
Really? My experience was the opposite. I found everything I needed intheir docs rather quickly.
I guess it’s true they don’t have as many basic examples as nginx, but I’d take their lack of example over the mess an nginx config can become any day.
Totally agree.
The main problem is it’s all written as a reference – for people who already understand what/how, who need to just refresh their memory of the actual syntax.
There’s very little explanatory stuff for people who need more than that. I had to read the same stuff multiple times, traversing many (or often, the same!) links, make notes, and then form a mental picture of what is going on.
Caddy maintainer here, if you could point to specific sections you find confusing, that would help. We rarely receive actionable feedback about the docs, so it’s hard for us to make improvements.
at the moment my caddy setup is stable; I am recounting my experience from memory.
It may be useful to consider what I said in a broader perspective – i.e., what you have is an excellent reference but it does not help discovery of task-oriented solutions.
Sorry I am unable to express the problem better than that. Will keep an eye out in future if I can get more concrete and open an issue or something.
Something I encountered last week.
- wanted to test running caddy without https and without being open to the world, to turn off automatic https.
- Googled and came up with auto_https off documentation that I read.
- It did not work, http still did not work
- Googled more and landed on forum page that explained why auto_https is not working and that it needs explicitly stated
http:\\or port:80in the address. Otherwise caddy will listen by default for only https.
It was no biggie, that forum post is literally the second google result for auto_https and does good job, but you asked and I have it fresh in memory…
I found the practical use cases helpful, probably should expand that cookbook.
E.g. I’ve found this sort of construct helpful (not sure how safe using {host} here is though):
app.example.com, another.example {
reverse_proxy unix//srv/backend/{host}/server.socket
}
It is hard to understand the whole thinking behind the config system, with directives, matchers, placeholders, invisible reordering of rules, and all the other concepts. And to add to the complication, Caddyfile and API are completely distinct systems and it is not very clearly explained [that one really ought to be using Caddyfile and ignoring the API for most use cases]. And that distros do ship Caddyfile-based systemd service now (some also API-based, and perhaps with root-only control socket to add to the confusion).
I did dig into it to really understand how it works but that took a couple of weeks to digest, which is a lot for someone who only needs a simple server/proxy.
One thing that threw me in the beginning was that the docs didn’t show examples in context. As an example, if you look at the basicauth docs it shows:
basicauth /secret/* {
Bob $2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNmpkT/5qqR7hx4IjWJPDhjvG
}...
}
Where can I use this? Globally? In the top-level of the virtualhost definition? If I’m reverse proxying, do I put it inside the reverse_proxy stanza? I used Apache for years and the docs always stated what context directives could be used in, eg.
https://httpd.apache.org/docs/2.4/mod/core.html#acceptpathinfo
Caddy is very basic, and thats why it works so easily. There is nothing wrong with it.
However it lacks some features that other reverse proxies offer. But if you dont need any of those, use Caddy.
Additional security? Not directly. But fail2ban and CrowdSec are easily set up too. And Caddy also combines very well with Authelia for authentication.
I switched from Traefik to Caddy a few years ago and have no ragrets. The only complaints I have about Caddy:
- It doesn’t support configuring virtual hosts automatically via docker labelsl (like Traefik).
- Many features (like DNS auth for certs) require compiling Caddy. Which is easy but annoying.
It doesn’t support configuring virtual hosts automatically via docker labelsl (like Traefik).
Here you go: https://github.com/lucaslorentz/caddy-docker-proxy. No more extra Caddy configuration file.
If you are using Docker, check out this repository for Caddy builds with different plugins https://github.com/serfriz/caddy-custom-builds
Random question from a noobie…. Why do you use something like Traefik versus something like Cloudflare Zero Access? (Again sorry if question is dumb). I’m just a new guy to this learning as I go and after getting up zero access with a $8 domain and now being able to securely access everything via subdomains it seems confusing why apps like Traefik are still so popular? I know I’m missing something there but hoping someone points it out.
I wrote something that can setup caddy automatically from docker labels.
It’s not well documented as I mostly wrote it for myself. https://hub.docker.com/r/mheys1/docker-dynamic-caddy https://github.com/mattheys/ddc
It basically acts like a DNS server serving up SRV records that caddy can use for dynamic configuration, I added in an on_demand_tls endpoint as well so that you don’t get spammed for non existent TLS records.
Anyone know if Caddy would be a good pick for a reverse proxy on a public subnet to distribute traffic to a bunch of subdomains in low traffic settings? I figure it could be a single source for all HTTPS stuff in my stack.
Or is it really just for like single applications running through Docker? Sorry, I haven’t played with it too much.
I have not tested it, but someone did auto discovery for caddy
What is it? Is it an alternative to unraid?