Caddy¶
Caddy is an open-source web server and reverse proxy written in Go, best known for automatic HTTPS — it obtains and renews TLS certificates from Let's Encrypt/ZeroSSL with zero configuration. It's the default reverse proxy for the stack-sovereignty-box because it's the simplest agent-friendly way to put real HTTPS padlocks in front of self-hosted apps.
Why it matters for self-hosting¶
On a box running many docker-compose services, you need one thing at the edge that: routes
each subdomain to the right container, and terminates HTTPS. Caddy does both from a tiny
config file (the Caddyfile) and fetches a certificate per site on first request — no
manual certbot, no nginx SSL boilerplate.
Key facts¶
- Written in Go, single static binary, no runtime dependencies; compiles for all major platforms.
- Automatic HTTPS via the ACME HTTP-01 challenge — a separate cert per subdomain, issued on first visit.
- Config via the human-friendly Caddyfile, or JSON, or a live admin API.
- A wildcard certificate is a different, opt-in thing requiring the DNS-01 challenge and a custom build — not needed for the per-subdomain default (see caddy-http01-vs-dns01).
- Supports HTTP/2 and HTTP/3 (QUIC on 443/udp).
- Extensible via modules (
xcaddy) for DNS providers, auth, rate limiting, etc.
On this box¶
Runs as container caddy on the srv-net network, config at /srv/caddy/Caddyfile, reloaded
with docker exec caddy caddy reload. Every app subdomain (home., agent., tasks., …)
is a small block importing a shared (security-headers) snippet. See stack-sovereignty-box.
What it replaces¶
Manual SSL certificate management + nginx/Apache config fiddling. Effectively free; the value is the eliminated toil and misconfiguration risk.
Related¶
- docker-compose — Caddy fronts every compose service
- tailscale — the private-access complement to Caddy's public HTTPS
- caddy-http01-vs-dns01 — the certificate-challenge decision