Caddy, sometimes clarified as the Caddy web server, is an open source, HTTP/2-enabled web server written in Go. It uses the Go standard library for its HTTP functionality. One of Caddy's most notable features is enabling HTTPS by default. The author, Matthew Holt, began developing Caddy in December 2014 and released it in April 2015. Since then it has been advanced by over two hundred other developers, adding for example support for QUIC. Caddy supports a variety of Web technologies and is available as statically-compiled binaries for Windows, Mac, Linux, Android, and BSD operating systems on i386, amd64, and ARM architectures.
Capabilities
A variety of web site technologies can be served by Caddy, which can also act as a reverse proxy and load balancer. Most of Caddy's features are implemententations found in Go's library, but some enhancements are available as middleware and exposed through directives in the Caddyfile.
Caddy is not vulnerable to a number of widespread CVEs including Heartbleed, DROWN, POODLE, and BEAST. In addition, Caddy uses TLS_FALLBACK_SCSV to prevent protocol downgrade attacks. On June 2, 2015, version 0.7.1 was released to patch a vulnerability to timing attacks in Caddy's basic authentication middleware. With regards to protocols and cipher suites, Caddy uses TLS 1.0-1.2 and prefers ECDHE ECDSA with AES-256 GCM SHA-384, although a dozen different ciphers are supported. Caddy has also been used by Cloudflare as a platform to serve an experimental TLS 1.3 implementation. Traditional privilege de-escalation as performed in C programs is non-trivial or not possible in Go programs.
Automatic HTTPS
Caddy activates HTTPS by default for sites with qualifying domain names, and redirects HTTP requests to HTTPS. It obtains certificates as needed during startup and keeps them renewed during the lifetime of the server. Let's Encrypt is the default certificate authority, but the user may customize the ACME CA that is used, which is often necessary when testing configurations. As of Q1 2016, Caddy accounted for about 2% of certificates issued by Let's Encrypt. An alternate configuration allows Caddy to obtain certificates only as needed during TLS handshakes rather than at startup, a feature dubbed "On-Demand TLS." To enable this feature, the user must specify a maximum number of certificates that can be issued this way. When Caddy receives a request for a hostname for which it does not yet have a certificate, it will negotiate a new certificate via ACME and serve it immediately, while caching the obtained certificate in memory and storing it on disk. This process usually takes a few seconds, and is subject to tight rate limits. When serving TLS, Caddy will automatically rotate session ticket keys periodically to help preserve perfect forward secrecy.
Telemetry (v1)
Starting version 0.11, Caddy has telemetry. This is opt-in when downloading Caddy from the official website, and opt-out when building from source. Caddy v2 has no telemetry.
Miek Gieben, the original developer of CoreDNS, created it from a fork of the Caddy web server to leverage Caddy's simple configuration syntax, plug-in architecture and use of the Go language.
