Caddy – The Ultimate Server with Automatic HTTPS

Great things are easy to get used to.  When something works the way you want it, and does so for a long a time, it is inevitable that one day you’ll stop thinking about it altogether and accept it as a given.

Apache was a great web server, until Nginx came along.  All of a sudden, it became obvious how much faster things could be, and how much simpler the configuration file is possible.

For the last few years, Nginx was working great for me.  And now that I came across Caddy, I realized that life can be a lot simpler.

Caddy web server

Here’s a bit to get you started:

Caddy simplifies your infrastructure. It takes care of TLS certificate renewals, OCSP stapling, static file serving, reverse proxying, Kubernetes ingress, and more.

Its modular architecture means you can do more with a single, static binary that compiles for any platform.

Caddy runs great in containers because it has no dependencies—not even libc. Run Caddy practically anywhere.

Seriously? We now have a web server which handles HTTPS with automatically renewed certificates (yes, Let’s Encrypt) out of the box… Mind-blowing.  I guess, 21st century is indeed here now.

What else is there?  Well, let’s see:

  • Configurable via RESTful JSON API. OMG!  No more trickery with include files, syntax checking and restarts.  In fact, configuration files are completely optional, and even if you choose to use them, they just use the same API under the hood.  Bonus point: you can export full configuration of a running server into a file via a simple API call.
  • Extensible.  Yes, that’s right!  “Caddy can embed any Go application as a plugin, and has first-class support for plugins of plugins.”  Check out their forum for plugin-related discussions, or simply search GitHub for Caddy.
  • Supports HTTP/1.1, HTTP/2, and even HTTP/3 (ETF-standard-draft version of QUIC), WebSocket, and FastCGI.
  • … and a lot more.

Wow!  It’s definitely worth checking out.  While Nginx is not going to disappear (much like Apache being still around), Caddy might be a better option for your next project.

How HTTPS Works in 10 Minutes

How HTTPS Works in 10 Minutes” is a simple, high-level overview of how HTTPS works. It doesn’t dive into too much detail or heavy math. But it does cover the main stages of how the connection is established, verified, and encrypted. These are the stages that are covered:

  1. You go to an HTTPS website via your browser
  2. The Client says “Hello”
  3. The Server says “Hello”
  4. The Client makes sure the SSL certificate is legitimate
  5. The Client gets the public key from the SSL certificate
  6. The Client uses the public key to make more random bytes
  7. The Client and Server make session keys
  8. The Client and Server compare session keys
  9. If the session keys match, game on

Welcome to HTTPS

Finally, after years and years of recommending Let’s Encrypt to everyone, this blog has now followed its own advice and moved to HTTPS. All the old links should be automatically redirected as well, so most people probably won’t notice any difference. But if you do, please do let me know.

htrace.sh – HTTP/HTTPS troubleshooting and profiling tool

htrace.sh is a handy command-line tool for HTTP/HTTPS troubleshooting and profiling. It also integrates with a number of other security tools, like nmap, SSL Labs, subfinder, etc.

The Illustrated TLS Connection


The Illustrated TLS Connection” is an interactive guide to the TLS connection, explaining every byte with code, comments, annotations, and more.  If you ever wanted to know the details of how this works, I can’t think of a better resource to direct you to.  And if you find any issues or can suggest a better explanation, there’s a GitHub repository for you to contribute.