Caddy vs. Nginx

dbeato

I haven't as I use Apache (Or httpd on CentOS) and NGnix.

VoIP_n00b

Caddy v2 is now out. I just set it up, and I'm quite impressed.

I love how simple the configuration is when using a Cabbyfile:

cloud.domain.net {
reverse_proxy 192.168.20.103
}

sub.domain.com {
reverse_proxy 192.168.20.105
}

It's nice to only have 1 configuration file compared to the 30 some odd I had with nginx. Plus, it does HTTPS via Let's Encrypt automatically.

marcinozga

Caddy is really nice, and usually my choice for reverse proxy, except docker deployments. Here Traefik shines, you just can't beat auto discovery and configuration.

stacksofplates

@marcinozga said in Caddy vs. Nginx:

Caddy is really nice, and usually my choice for reverse proxy, except docker deployments. Here Traefik shines, you just can't beat auto discovery and configuration.

The file provider for Traefik makes even non container deployments easy.

scottalanmiller

@VoIP_n00b said in Caddy vs. Nginx:

It's nice to only have 1 configuration file compared to the 30 some odd I had with nginx. Plus, it does HTTPS via Let's Encrypt automatically.

Caddy definitely makes config easier. But to be fair, the use of multiple files for nginx is purely a convention and has nothing to do with the system itself. Both Nginx and Caddy will support single or multiple files. Just one's ecosystem encourages one way, and the other encourages another. It's always up to you in the end.

JaredBusch

@scottalanmiller said in Caddy vs. Nginx:

@VoIP_n00b said in Caddy vs. Nginx:

It's nice to only have 1 configuration file compared to the 30 some odd I had with nginx. Plus, it does HTTPS via Let's Encrypt automatically.

Caddy definitely makes config easier. But to be fair, the use of multiple files for nginx is purely a convention and has nothing to do with the system itself. Both Nginx and Caddy will support single or multiple files. Just one's ecosystem encourages one way, and the other encourages another. It's always up to you in the end.

Right, just because you did it one way does not mean that it was the only way.

JaredBusch

@VoIP_n00b said in Caddy vs. Nginx:

Plus, it does HTTPS via Let's Encrypt automatically.

That would be fucking horrible. I rarely want LE on anything I am using with a reverse proxy. Most of that should be on a Cloudflare origin certificate.

JaredBusch

@VoIP_n00b said in Caddy vs. Nginx:

I love how simple the configuration is when using a Cabbyfile:

Assumptions by my software stack suck ass. Yes, I want various security headers set, etc.

I make a generic config file for that with Nginx that gets included in all the site specific config sections. For most, it needs nothing else. But still, they are my settings.

JaredBusch

@scottalanmiller said in Caddy vs. Nginx:

the use of multiple files for nginx is purely a convention

Specific to my guides which I know he followed...

I stated in those that I do it on purpose. I do not like to have one large config file to edit for everything.

Instead I prefer to edit a single small file per site. So if the damned thing does not start, I know which file to quickly remove, restart the service so everything else is not down, and then redo WTF ever I screwed up.

Can you do the same/similar with a single file? Sure. Just have to keep copies, etc. Simply a different process.

scottalanmiller

@JaredBusch said in Caddy vs. Nginx:

I stated in those that I do it on purpose. I do not like to have one large config file to edit for everything.

I agree, I prefer the conventional way. It was done that way for a reason, to make it easier for admins to work on the system. It makes it easier for tools like Ansible, too. Or easier for the person setting up Ansible, I should say.

JaredBusch

@scottalanmiller said in Caddy vs. Nginx:

@JaredBusch said in Caddy vs. Nginx:

I stated in those that I do it on purpose. I do not like to have one large config file to edit for everything.

I agree, I prefer the conventional way. It was done that way for a reason, to make it easier for admins to work on the system. It makes it easier for tools like Ansible, too. Or easier for the person setting up Ansible, I should say.

Right, because I do not use a reverse proxy for a single system anywhere. If I need a RP, that is because I have multiple systems behind it.

I mean sure there can be an exception where I use it for a single system. Like the demo NodeBB setup I have for our company. It is on a Vultr Instance with Nginx on the same instance for that specific app. But it still uses a Cloudflare Origin Cert.

scottalanmiller

@JaredBusch said in Caddy vs. Nginx:

Right, because I do not use a reverse proxy for a single system anywhere. If I need a RP, that is because I have multiple systems behind it.

I actually do that a bit, mostly just for standardization so I know to look for nginx or whatever proxy for certain functions and don't have to worry if it's a single use or multi-use system.

VoIP_n00b

@JaredBusch said in Caddy vs. Nginx:

Yes, I want various security headers set, etc.

Caddy gets an A out of the box on ssllabs.com

IRJ

@JaredBusch said in Caddy vs. Nginx:

You have to compile yourself if you want to use commercially.

This is not something I will ever want to use because of that.

Yeah that's kinda lame, but not a deal breaker. Nginx has to be compiled for more advanced use cases like WAF or certain HAProxy features.

It's a bit of a bitch, but once you script it. It isn't too bad to do upgrades going forward.

scottalanmiller

@VoIP_n00b said in Caddy vs. Nginx:

@JaredBusch said in Caddy vs. Nginx:

Yes, I want various security headers set, etc.

Caddy gets an A out of the box on ssllabs.com

But they wouldn't see it, right? Because you'd still have CloudFlare in front of it. So while it gets an A, what does that matter?

scottalanmiller

@VoIP_n00b said in Caddy vs. Nginx:

@JaredBusch said in Caddy vs. Nginx:

Yes, I want various security headers set, etc.

Caddy gets an A out of the box on ssllabs.com

They are owned by them, so that's pretty sus.

scottalanmiller

@IRJ said in Caddy vs. Nginx:

@JaredBusch said in Caddy vs. Nginx:

You have to compile yourself if you want to use commercially.

This is not something I will ever want to use because of that.

Yeah that's kinda lame, but not a deal breaker. Nginx has to be compiled for more advanced use cases like WAF or certain HAProxy features.

It's a bit of a bitch, but once you script it. It isn't too bad to do upgrades going forward.

A distro, or someone you know, can make open releases of it, though. It's Apache 2 license, so they can't make binaries personal only. They can make their own download personal only, I guess, but you could make an identical binary that is commercial. On the weird world of licensing. Really just makes them asshats if they really do that.

VoIP_n00b

@scottalanmiller said in Caddy vs. Nginx:

@VoIP_n00b said in Caddy vs. Nginx:

@JaredBusch said in Caddy vs. Nginx:

Yes, I want various security headers set, etc.

Caddy gets an A out of the box on ssllabs.com

They are owned by them, so that's pretty sus.

About Qualys

Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and compliance solutions with over 9,300 customers in more than 100 countries, including a majority of each of the Forbes Global 100 and Fortune 100. The Qualys Cloud Platform and integrated suite of solutions help organizations simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications. Founded in 1999, Qualys has established strategic partnerships with leading managed service providers and consulting organizations including Accenture, BT, Cognizant Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a founding member of the Cloud Security Alliance (CSA). For more information, please visit www.qualys.com.

They are no NTG, I'll give you that.

VoIP_n00b

@scottalanmiller said in Caddy vs. Nginx:

But they wouldn't see it, right? Because you'd still have CloudFlare in front of it. So while it gets an A, what does that matter?

I'm not using CF as a reserve proxy or origin certificates.

scottalanmiller

@VoIP_n00b said in Caddy vs. Nginx:

@scottalanmiller said in Caddy vs. Nginx:

But they wouldn't see it, right? Because you'd still have CloudFlare in front of it. So while it gets an A, what does that matter?

I'm not using CF as a reserve proxy or origin certificates.

Why? It adds a lot of performance and security. Regardless, whoever you use as your RP should be handling this.