Caddy is a production-ready, multi-platform web server built in Go that serves every site over HTTPS by default, eliminating manual certificate management. It’s designed for developers and DevOps teams who need secure, scalable, and reliable HTTP serving without complex configuration or external dependencies. Caddy’s modular architecture supports dynamic configuration via JSON API, config adapters for YAML/TOML/NGINX, and extensible plugins.
Built on the CertMagic library, Caddy manages TLS certificates automatically using ACME protocols, supports HTTP/3, and can coordinate certificate issuance across clusters. It runs without libc dependencies, supports on-demand TLS for SaaS multi-tenancy, and includes a fully automated internal PKI for localhost and private networks. Deployment options include standalone binaries, Docker, systemd, and custom Go builds with plugins via xcaddy.
What You Get
- Automatic HTTPS - Caddy automatically obtains and renews TLS certificates from ZeroSSL and Let’s Encrypt for all domains, including custom and wildcard domains, with no manual intervention.
- On-Demand TLS - Dynamically provisions TLS certificates during TLS handshakes for customer-owned domains, enabling scalable SaaS multi-tenancy without pre-configuration.
- Internal PKI & Local CA - Automatically generates and manages a local certificate authority for localhost, private IPs, and internal services, installing the root CA into system trust stores.
- HTTP/1.1, HTTP/2, and HTTP/3 Support - Native, default support for all modern HTTP versions with no additional configuration required.
- JSON API for Dynamic Configuration - Real-time, RESTful API to modify server configuration, reload sites, and manage certificates without restarting the server.
- Config Adapters - Convert configurations from Caddyfile, YAML, TOML, JSON5, and NGINX syntax into Caddy’s native JSON format using built-in adapters.
- Cluster Coordination - Multiple Caddy instances can share certificate storage and coordinate OCSP stapling, certificate renewal, and key management across a fleet.
- No External Dependencies - Compiled as a static binary with no need for libc, systemd, or external certificate tools like certbot.
- PCI/HIPAA/NIST Compliant Defaults - TLS settings are pre-configured to meet enterprise compliance standards without manual tuning.
- xcaddy Build Tool - Official tool to build custom Caddy binaries with plugins, version pinning, and build tags for production deployments.
Common Use Cases
- Running a SaaS platform with custom domains - A SaaS provider uses On-Demand TLS to automatically issue certificates for customer subdomains like customer1.myapp.com without pre-registering each domain.
- Securing internal microservices - A DevOps team deploys Caddy as a reverse proxy for internal services using its local CA to issue trusted TLS certificates for 192.168.x.x and localhost endpoints.
- Hosting hundreds of static sites with TLS - A hosting provider uses Caddy to serve 50,000+ static sites with automatic HTTPS, eliminating manual cert management and reducing operational overhead.
- Developing locally with HTTPS - A developer enables HTTPS on localhost and internal IPs during development using Caddy’s auto-installed CA, eliminating browser warnings and matching production TLS behavior.
Under The Hood
Architecture
- Modular design based on plugin-style modules registered via init() functions, with clear separation between core server logic and extensible components like HTTP handlers and logging filters
- Dependency injection through interface-based abstractions enables dynamic module loading without compile-time coupling
- Configuration pipeline translates diverse inputs (Caddyfile, JSON) into a unified internal schema, decoupling user syntax from internal representation
- Command-line interface built with Cobra, where subcommands are registered as first-class modules sharing a unified configuration context
- Context propagation mechanisms pass request-scoped data through middleware chains, eliminating global state dependencies
- Build system leverages Go modules and xcaddy for plugin integration, with automated cross-platform binary generation and security compliance tooling
Tech Stack
- Go (1.16+) as the foundational language, leveraging its strong typing and concurrency model for server-side performance
- Comprehensive dependency management using Go modules with vendorized dependencies and strict hygiene practices
- Static analysis tools like golangci-lint enforce security, style, and correctness through custom configurations
- Automated build and release pipelines with cross-compilation and SBOM generation for distribution integrity
- Pre-commit hooks integrate security scanning and linting to enforce standards before code enters the repository
- Embedded assets and system resources are generated via custom Go commands, including platform-specific resource files
Code Quality
- Extensive test coverage across unit, integration, and end-to-end scenarios using table-driven patterns for robust validation
- Clear separation of concerns with well-defined interfaces isolating HTTP handlers, TLS automation, and configuration adapters
- Explicit error handling and contextual validation replace exceptions, with comprehensive assertions for failure paths
- Consistent, idiomatic Go naming conventions enhance readability and predictability across the codebase
- Strong type safety enforced through structured config models and strict interface contracts between modules
- Automated linting and testing integrated into CI pipelines ensure sustained code quality and behavioral correctness
What Makes It Unique
- Statically-linked plugins enable seamless extension without runtime dependencies or external processes
- Native config adapters bridge human-readable syntax with machine-optimizable structure in a single unified system
- Deeply integrated, zero-configuration TLS automation ensures secure defaults without manual setup
- Administrative HTTP API supports live reconfiguration without service restarts, blending DevOps agility with production stability
- Extensible context system with typed keys enables safe, type-safe data flow across middleware layers, avoiding string-based lookups
- xcaddy tooling allows compile-time plugin inclusion, eliminating bloat and preserving performance-critical optimizations