Caddy

Caddy is a modern, extensible web server written in Go that prioritizes zero‑configuration HTTPS. From a technical standpoint it serves HTTP/1.x, HTTP/2, and HTTP/3 traffic while automatically obtaining and renewing TLS certificates via the ACME protocol. The core of Caddy’s value lies in its dynamic configuration engine: a JSON‑based runtime API exposes every module, handler, and middleware as first‑class objects that can be added, removed, or reconfigured without restarting the process. This makes Caddy ideal for micro‑service architectures where routing rules, TLS settings, and custom middleware need to evolve on the fly.

Caddy’s architecture is modular. The runtime is a single Go binary that loads modules (handlers, loggers, authentication plugins) at startup. Each module implements a well‑defined interface and is registered in the global module registry; this allows developers to ship third‑party plugins as simple Go packages that can be compiled into the binary or loaded at runtime via caddy load. Internally, Caddy uses a hierarchical configuration tree that maps to the JSON schema exposed by its RESTful config API. For storage, Caddy relies on etcd or a local file when running in single‑node mode; however, the configuration can be persisted to any compatible key‑value store using a plugin. The TLS stack is built on top of Go’s crypto/tls and the CertMagic library, which abstracts certificate acquisition, renewal, and private key storage.

• On‑Demand TLS – Caddy can issue certificates for arbitrary hostnames during the TLS handshake, eliminating pre‑configuration of domain records.
• Dynamic Routing & Reverse Proxy – Supports path and host routing, load balancing (round‑robin, least connections), and sticky sessions.
• Middleware Pipeline – A declarative pipeline lets developers insert logging, authentication, rate limiting, compression, and custom handlers.
• RESTful Config API – Exposes a /config endpoint that accepts JSON patches, enabling programmatic configuration changes.
• Webhooks & External Triggers – Handlers can emit events or invoke external services via HTTP, making it easy to integrate with CI/CD pipelines or observability tools.
• Extensible Plugin System – Any Go package that implements the module interface can be built as a plugin, allowing developers to add support for new protocols (e.g., gRPC) or custom authentication mechanisms.

Caddy is designed for self‑hosting and scales horizontally without stateful dependencies. A single binary can run on Linux, macOS, Windows, or ARM platforms. For containerized deployments, the official Docker image is minimal (~30 MB) and exposes a volume for certificate storage (/root/.local/share/caddy). Kubernetes users can leverage the caddy Helm chart, which uses a ConfigMap for JSON configuration and supports ingress annotations. In large‑scale environments, Caddy can be run behind a load balancer that terminates TLS or as an edge server with HTTP/3 support, while the internal cluster communicates over plain HTTP.

The plugin ecosystem is mature: thousands of community plugins exist for authentication (OAuth2, JWT), storage backends (AWS S3, Azure Blob), monitoring (Prometheus, OpenTelemetry), and more. Because the configuration is JSON‑driven, developers can integrate Caddy into their CI/CD pipelines by generating config files from templates or by invoking the REST API during deployment. The On‑Demand TLS feature also integrates seamlessly with custom DNS providers via plugins, enabling fully automated certificate provisioning for dynamic domains.

Caddy’s documentation is organized around the two primary configuration formats: the human‑friendly Caddyfile and the machine‑readable JSON. The latter is fully typed, with extensive GoDoc references available at pkg.go.dev. Community support is robust: a dedicated forum, Slack channel, and GitHub Discussions provide quick answers. The licensing model (Apache 2.0) allows commercial use without royalties, and the project’s sponsorship program ensures continued development.

• SaaS Platforms – On‑Demand TLS lets multi‑tenant SaaS applications accept customer domains without manual certificate management.
• Edge Computing – HTTP/3 support and small binary size make Caddy a lightweight edge proxy for CDN or micro‑service gateways.
• DevOps Toolchains – The REST API and dynamic config enable automated routing rules in CI pipelines or canary deployments.
• Enterprise Intranets – Built‑in PKI support and fine‑grained access control allow Caddy to serve internal services with strict compliance requirements.

Caddy outperforms traditional servers in several dimensions: it automatically secures every site, reduces operational overhead with dynamic TLS, and offers a single binary that can be extended via Go plugins. Its modular design keeps the core lean while allowing deep customization, and its HTTP/3 support positions it ahead of legacy servers. Licensing under Apache 2.0 removes cost barriers, making Caddy a compelling choice for both open‑source projects and commercial deployments that require robust HTTPS out of the box.