Matthew Kilgore

My personal site

Why I Use Caddy

Simplicity

Caddy is by far one the easiest web servers I have every used, the syntax is easy to understand and the actual config itself is small. For example the following config is in fact the exact one used to run this exact website.

kilgore.dev, www.kilgore.dev {
        realip cloudflare
        push
        root /var/www/kilgore.dev
        gzip
        fastcgi / /run/php/php7.2-fpm.sock php
        rewrite {
                if {path} not_match ^\/wp-admin
                to {path} {path}/ /index.php?{query}
        }

        cache {
                match_path /wp-content
                status_header X-Cache-Status
                default_max_age 30m
        }

        log /var/log/caddy/kilgore.log {
                rotate_size 25
                rotate_age 7
                rotate_keep 4
                rotate_compress
        }
        tls {
                dns cloudflare
        }
}

As you can see it’s really easy to read, view and edit. Even better is that super powerful with so little syntax. Some highlights include just the second line, that line converts the Cloudflare “Real-IP” header into something usable by web applications. The third line then automatically enables HTTP/2 server push so long as the web application sends the right headers. Adding the gzip parameter automatically enables compression for all of the major formats. Further down in the TLS block we see the “dns cloudflare” block. This block uses some environment variables I set for the caddy service and automatically performs the correct ACME authentication steps to enable HTTPS on my site.

Speed

Caddy is possibly the fastest web server I’ve ever used. Part of this is likely because it’s written in GO and has a very small code base. Even better is that it relies almost entirely on native GO libraries and does not require other 3rd party libraries like OpenSSL. Further this massive speed improvement is also tied to the fact the entire binary is a single file (reducing IOPs) and further that binary only includes plugins that I explicitly enabled.

Security

The security in Caddy far out exceeds anything else I’ve seen on the market so far. First it’s not vulnerable to attacks such as POODLE, Heartbleed, DROWN or BEAST because it does not use OpenSSL as the underlying encryption library. Further Caddy by default enables HTTPs with HTTPs redirects. Further that HTTPs connection is using secure protocols by default and does not require any form of tinkering.