This seems too straightforward, what’s the catch?
Like how secure is it? Should I be turning it off (and disabling the port forwarding) when not using it?
Do I need any additional security? Mainly just want to use it for Jellyfin
Thanks
What is it? Is it an alternative to unraid?
The documentation it’s surprisingly bad at explaining common patterns of use.
It is also a bit thicker compared to nginx or HAproxy.
Totally agree.
The main problem is it’s all written as a reference – for people who already understand what/how, who need to just refresh their memory of the actual syntax.
There’s very little explanatory stuff for people who need more than that. I had to read the same stuff multiple times, traversing many (or often, the same!) links, make notes, and then form a mental picture of what is going on.
Caddy maintainer here, if you could point to specific sections you find confusing, that would help. We rarely receive actionable feedback about the docs, so it’s hard for us to make improvements.
at the moment my caddy setup is stable; I am recounting my experience from memory.
It may be useful to consider what I said in a broader perspective – i.e., what you have is an excellent reference but it does not help discovery of task-oriented solutions.
Sorry I am unable to express the problem better than that. Will keep an eye out in future if I can get more concrete and open an issue or something.
😬 Well, that’s not helpful. Without specific feedback, there’s nothing we can do to improve the docs. It’s exhausting to read vague complaints about the docs, because it’s 90% of the feedback we get.
But yes, please do reach out (open a GitHub issue, comment on the forums etc) if you do notice something that doesn’t meet your expectations in the docs.
What I think they meant is more “how to achieve X or Y” focused documentation, rather than just explaining how features A or B work. The former approach explains what you should use and how to do it, the latter only documents what each variable does.
To use an analogy: I could probably build a bicycle from the individual parts based on a tutorial with that goal in mind, but not based on the individual technical descriptions of each part.
/u/xkcd__386 is that what you meant?
I understand what they meant, but it’s broad/vague, and not specific/actionable.
We do have a tutorials section in the docs, and we have the https://caddyserver.com/docs/caddyfile/patterns page which are that.
Our question is how are those lacking? Just saying “more please” doesn’t help because we don’t know what the need is. We can’t imagine every single possible usecase, because it’s actually infinite. Caddy is a “general purpose webserver” which means “it can do just about anything”.
Help us by telling us what specifically what usecase is important to you. We don’t have telemetry, we need users to tell us.
One thing that threw me in the beginning was that the docs didn’t show examples in context. As an example, if you look at the basicauth docs it shows:
basicauth /secret/* { Bob $2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNmpkT/5qqR7hx4IjWJPDhjvG }... }
Where can I use this? Globally? In the top-level of the virtualhost definition? If I’m reverse proxying, do I put it inside the reverse_proxy stanza? I used Apache for years and the docs always stated what context directives could be used in, eg.
https://httpd.apache.org/docs/2.4/mod/core.html#acceptpathinfo
Something I encountered last week.
- wanted to test running caddy without https and without being open to the world, to turn off automatic https.
- Googled and came up with auto_https off documentation that I read.
- It did not work, http still did not work
- Googled more and landed on forum page that explained why auto_https is not working and that it needs explicitly stated
http:\\
or port:80
in the address. Otherwise caddy will listen by default for only https.
It was no biggie, that forum post is literally the second google result for
auto_https
and does good job, but you asked and I have it fresh in memory…
Really? My experience was the opposite. I found everything I needed intheir docs rather quickly.
I guess it’s true they don’t have as many basic examples as nginx, but I’d take their lack of example over the mess an nginx config can become any day.
Maybe just cause I’m still learning this stuff but I found the docs fairly challenging to comprehend too. Now that I get the basics though, it’s pretty easy looking back
Caddy is very basic, and thats why it works so easily. There is nothing wrong with it.
However it lacks some features that other reverse proxies offer. But if you dont need any of those, use Caddy.
Additional security? Not directly. But fail2ban and CrowdSec are easily set up too. And Caddy also combines very well with Authelia for authentication.
I’m wondering what those features are? What are the top 2 features you use most that are missing in Caddy? I used to go to nginx by default, but I switched to Caddy recently and I’m wondering what hurdles I’m setting up for myself.
I switched from Traefik to Caddy a few years ago and have no ragrets. The only complaints I have about Caddy:
- It doesn’t support configuring virtual hosts automatically via docker labelsl (like Traefik).
- Many features (like DNS auth for certs) require compiling Caddy. Which is easy but annoying.
It doesn’t support configuring virtual hosts automatically via docker labelsl (like Traefik).
Here you go: https://github.com/lucaslorentz/caddy-docker-proxy. No more extra Caddy configuration file.
If you are using Docker, check out this repository for Caddy builds with different plugins https://github.com/serfriz/caddy-custom-builds
Anyone know if Caddy would be a good pick for a reverse proxy on a public subnet to distribute traffic to a bunch of subdomains in low traffic settings? I figure it could be a single source for all HTTPS stuff in my stack.
Or is it really just for like single applications running through Docker? Sorry, I haven’t played with it too much.
Don’t hate me but I use Apache2, why would use caddy?
Random question from a noobie…. Why do you use something like Traefik versus something like Cloudflare Zero Access? (Again sorry if question is dumb). I’m just a new guy to this learning as I go and after getting up zero access with a $8 domain and now being able to securely access everything via subdomains it seems confusing why apps like Traefik are still so popular? I know I’m missing something there but hoping someone points it out.
How do you compare Caddy with nginx proxy manager?
Can somebody explain in plain English what it is used for?
It sits in charge of your ports 80/443 and decides to which webserver it sends traffic. If to your jellyfin, or your nextcloud, or your uptimekuma, or your vaultwarden or your mealie or your dashboard…
unlike others it automaticly do https certificate for you and its config is really clean and readable which is nice.
Heres how to set it up if you wanna try.
I would not directly expose Jellyfin to the Internet (including reverse proxy) because of security issues they’ve had. And no, a reverse proxy (like Caddy) doesn’t usually add much insecurity or security^.
The thing I currently do is use forward_auth w/ Authelia (from anywhere, you could also use basic_auth though the UX sucks) but bypass it for the app in private IP ranges (aka at home or in VPN):
jellyfin.example { @notapp { not { header User-Agent *Jellyfin* client_ip private_ranges } } forward_auth @notapp localhost:8080 { uri /api/verify?rd=https://authelia.example/ } reverse_proxy 192.168.1.44:8080 }
Apps get to continue working, and I can access it from my phone without a VPN setup (because it’s annoying and I only look at metadata on my phone anyway).
You can also do a simpler config (which I used to do) where you just give an HTTP Unauthorized for anything outside of private ranges (this lets you do the HTTP challenge for a certificate while still not exposing Jellyfin to the general internet).
^You can configure more security by doing authentication in the reverse proxy so that anyone trying to attack services behind it must first authenticate with the reverse proxy, but this is not the default. Security-wise this ends up similar to forcing all access through a VPN first, if a little harder to setup.
Used Caddy for years and after a week of Nginx Proxy Manager I never went back to Caddy.
I would like to jump over to it. I have been struggling with Nginx and Apache and I am afraid I have made a mess of things. I am installing on an old Mac Mini with Mac OS so I don’t really have a way to isolate and remove Nginx and Apache and I have a feeling if I try Caddy I will get some interferences.
Lack of docker labels is a downer, but it’s the best reverse proxy I have used. Recently started a project to run containers with caddy