Skip to content

Caddy

Caddy is an open-source web server and reverse proxy written in Go, best known for automatic HTTPS — it obtains and renews TLS certificates from Let's Encrypt/ZeroSSL with zero configuration. It's the default reverse proxy for the stack-sovereignty-box because it's the simplest agent-friendly way to put real HTTPS padlocks in front of self-hosted apps.

Why it matters for self-hosting

On a box running many docker-compose services, you need one thing at the edge that: routes each subdomain to the right container, and terminates HTTPS. Caddy does both from a tiny config file (the Caddyfile) and fetches a certificate per site on first request — no manual certbot, no nginx SSL boilerplate.

Key facts

  • Written in Go, single static binary, no runtime dependencies; compiles for all major platforms.
  • Automatic HTTPS via the ACME HTTP-01 challenge — a separate cert per subdomain, issued on first visit.
  • Config via the human-friendly Caddyfile, or JSON, or a live admin API.
  • A wildcard certificate is a different, opt-in thing requiring the DNS-01 challenge and a custom build — not needed for the per-subdomain default (see caddy-http01-vs-dns01).
  • Supports HTTP/2 and HTTP/3 (QUIC on 443/udp).
  • Extensible via modules (xcaddy) for DNS providers, auth, rate limiting, etc.

On this box

Runs as container caddy on the srv-net network, config at /srv/caddy/Caddyfile, reloaded with docker exec caddy caddy reload. Every app subdomain (home., agent., tasks., …) is a small block importing a shared (security-headers) snippet. See stack-sovereignty-box.

What it replaces

Manual SSL certificate management + nginx/Apache config fiddling. Effectively free; the value is the eliminated toil and misconfiguration risk.