Caddy

Caddy is an open-source Go web server and reverse proxy that ships with automatic HTTPS, HTTP/3, and a Caddyfile config that fits a working site in three lines. We rate it 90/100 — the simplest production-grade web server in 2026 for anyone who would rather not own a Certbot cron job for the rest of their life.

What is Caddy?

Caddy was created in 2014 by Matt Holt while he was studying computer science at Brigham Young University, and the first public release shipped in early 2015. It became the first web server to enable HTTPS automatically and by default, and the project is now stewarded under the ZeroSSL umbrella with hundreds of contributors. The repo at caddyserver/caddy sits at 71,800+ stars and 4,700+ forks, is licensed Apache 2.0, and as of March 6, 2026 the latest stable is v2.11.2.

Where Nginx is a fast, mature C web server that defers TLS to Certbot and a cron job, Caddy bundles a managed CA stack on top of CertMagic: provisioning, renewal, OCSP stapling, and now Encrypted ClientHello (ECH) all happen inside the binary. The pitch is that you write four lines of Caddyfile, point a DNS record at the box, and your site is on TLS 1.3 with auto-renewing Let's Encrypt or ZeroSSL certificates before you finish your coffee.

Key Features of Caddy

• Automatic HTTPS by default: Caddy provisions, renews, and OCSP-staples TLS certificates from Let's Encrypt and ZeroSSL with zero configuration. As of v2.10 it also issues wildcard certificates by default when DNS-01 is configured, cutting cert volume on multi-tenant deployments.
• HTTP/1.1, HTTP/2, and HTTP/3 out of the box: QUIC is on by default — no extra build flags, no separate listener config.
• Caddyfile + JSON API: A two-line Caddyfile gets a site live; the JSON config and admin API let you reload zero-downtime config from a script or a control plane.
• Encrypted ClientHello (ECH): Caddy 2.10 (April 2025) was the first mainstream server to ship fully automated ECH, hiding the SNI domain in the TLS handshake.
• Post-quantum TLS: Hybrid x25519mlkem768 key exchange is enabled by default in 2.10+, giving forward secrecy against "harvest now, decrypt later" attacks.
• Single static binary, no libc dependency: One Go binary runs on Linux, macOS, Windows, BSD, and ARM — perfect for containers, edge boxes, and homelabs.
• Modular plugin architecture: 200+ community modules add things like Prometheus metrics, dynamic upstreams from Docker labels, WAF rules, image processing, and OAuth proxying.
• Cluster-aware cert storage: Multiple Caddy instances can share a Redis or DynamoDB-backed storage layer, so a fleet of nodes provisions the same cert exactly once.

What Users Say About Caddy

Caddy is the most-recommended reverse proxy on r/selfhosted and r/homelab whenever someone asks for a simpler alternative to Nginx Proxy Manager or Traefik. The most common praise: "a five-line Caddyfile is a real production config" and "I forgot TLS even existed." On Hacker News, Matt Holt regularly shows up in comment threads to answer technical questions and the response is overwhelmingly positive — the project's CII Best Practices badge is frequently cited as a maintenance signal.

The recurring criticisms in 2026 are honest. First, Caddy is measurably slower than Nginx on raw reverse-proxy throughput — community benchmarks consistently show Nginx around 48k req/s versus Caddy's 42k req/s on a 4-core box, although the gap has narrowed since 2.0 and only matters above six-figure RPS. Second, Docker auto-discovery is not built in: if you want labels-to-routes like Traefik, you need the third-party caddy-docker-proxy module. Third, logs are JSON-only by default, which trips up newcomers used to grepping Nginx access logs. Fourth, the official Docker image deliberately does not include third-party modules — you have to use xcaddy to build a custom binary, which catches first-time users off guard.

Caddy Pricing

Caddy itself is fully free and open source under Apache 2.0 — there is no paid tier, no "Enterprise Edition," and no feature is gated behind a license. The project is funded through optional corporate sponsorships that buy support, priority patches, and consulting time from the core team.

Plan	Price	What's Included
Open Source	$0/month	Full Caddy server, Apache 2.0 license, all features, all modules. No paywall, no telemetry. Community support via the Caddy forum.
Sponsor (Individual)	From $5/month	GitHub Sponsors badge, supports continued development. No additional features.
Business Sponsorship	Custom (typically $1k–$10k/month)	Direct email support, prioritized issue triage, Expert Caddy access for the team, advance notice on security patches.
Business+ / Enterprise	Custom	Custom development hours, on-call SLA, architecture consulting, contractual support agreements.

Who Should Use Caddy?

Best for: Solo developers running a side project on a $5 VPS; homelabbers who want a reverse proxy in front of a dozen self-hosted services; small SaaS teams who want HTTPS for thousands of customer subdomains via on-demand TLS; security-conscious teams who want ECH and post-quantum TLS without writing custom OpenSSL code.

Not ideal for: Hyperscale CDN edges where every microsecond of proxy latency matters and where Nginx or Envoy already have battle-tested tuning playbooks; teams with deep OpenResty/Lua investment; shops that need WAF features like ModSecurity 3 with a complete CRS rule set out of the box.

Pros and Cons

Pros:

• Truly automatic HTTPS — the killer feature that no other mainstream server matches as cleanly.
• Single static Go binary, no libc, runs anywhere from a Raspberry Pi to a 64-core Xeon.
• Modern protocol support: HTTP/3, ECH, and post-quantum TLS are on by default.
• Apache 2.0 with no "open core" trap — the same binary that powers your homelab powers Stripe, Reddit, and other big deployments.
• Caddyfile is genuinely readable; new hires can understand a routing config in five minutes.

Cons:

• Slower than Nginx on raw throughput — ~10–15% gap on reverse-proxy benchmarks at high concurrency.
• No native Docker label discovery — you need a third-party module to match Traefik's UX.
• JSON-only access logs by default; configuring a classic Apache/Combined format is an extra step.
• Plugin ecosystem is smaller than Nginx's, and adding modules requires xcaddy to rebuild the binary.

Alternatives to Caddy

• Nginx — the incumbent. Faster on raw throughput and far more module ecosystem, but TLS automation is bolted on via Certbot.
• Traefik — best-in-class for Docker and Kubernetes label-based routing, but more complex YAML and heavier resource use. See our Pangolin review for a Caddy-based alternative.
• HAProxy — the king of L4/L7 load balancing and TCP proxying, but minimal HTTP feature set and no automatic TLS.

Verdict: Is Caddy Worth It?

For 2026 greenfield projects, Caddy is the default we recommend. The 10–15% throughput gap versus Nginx only matters at scales where you already have a dedicated SRE; for everyone else, the hours saved on TLS automation, the safety of a memory-safe Go runtime, and the readability of the Caddyfile are an obvious win. We rate it 90/100 — the points it loses are for raw performance versus Nginx, the lack of native Docker discovery, and the plugin-build friction. None of those are dealbreakers for the vast majority of teams.

Frequently Asked Questions

Is Caddy free?

Yes. Caddy is fully free and open source under the Apache 2.0 license. There is no paid tier or feature paywall — the same binary runs from homelabs to Fortune 500 deployments. Optional corporate sponsorships fund the project but do not unlock features.

What platforms does Caddy support?

Caddy ships as a single static Go binary for Linux, macOS, Windows, FreeBSD, and ARM (including Raspberry Pi). It also has an official Docker image and packages in most major Linux distributions.

How does Caddy compare to Nginx?

Caddy is dramatically simpler to configure and provisions HTTPS automatically, while Nginx is roughly 10–15% faster on reverse-proxy benchmarks and has a larger third-party module ecosystem. For most teams below six-figure RPS, Caddy's ergonomics are the right trade.

Is Caddy open source?

Yes. The full source is at github.com/caddyserver/caddy under Apache 2.0. The repo has 71,800+ stars as of April 2026.

Does Caddy support HTTP/3 and post-quantum TLS?

Yes to both. HTTP/3 (QUIC) is on by default, and as of v2.10 the hybrid post-quantum key exchange x25519mlkem768 is enabled by default for TLS 1.3 connections.