Caddy vs. Nginx
-
I would consider the web server which you have the most experience are usually going to be the most secure.
Security depends on all of the layers, not just the web server. If you pick one with very few vulnerabilities, but don't understand how to configure it, you will most likely not understand how to configure it securely.
-
I have been looking at Caddy as well recently.
It's reserve proxy setup is very easy.
-
@aaronstuder I haven't yet had time to set anything up for testing using Caddy. Have you?
-
@nashbrydges Not yet!
-
This is open source, but the official binaries are only free for personal use.
You have to compile yourself if you want to use commercially.
This is not something I will ever want to use because of that.
-
I haven't as I use Apache (Or httpd on CentOS) and NGnix.
-
Caddy v2 is now out. I just set it up, and I'm quite impressed.
I love how simple the configuration is when using a Cabbyfile:
cloud.domain.net { reverse_proxy 192.168.20.103 } sub.domain.com { reverse_proxy 192.168.20.105 }
It's nice to only have 1 configuration file compared to the 30 some odd I had with nginx. Plus, it does HTTPS via Let's Encrypt automatically.
-
Caddy is really nice, and usually my choice for reverse proxy, except docker deployments. Here Traefik shines, you just can't beat auto discovery and configuration.
-
@marcinozga said in Caddy vs. Nginx:
Caddy is really nice, and usually my choice for reverse proxy, except docker deployments. Here Traefik shines, you just can't beat auto discovery and configuration.
The file provider for Traefik makes even non container deployments easy.
-
@VoIP_n00b said in Caddy vs. Nginx:
It's nice to only have 1 configuration file compared to the 30 some odd I had with nginx. Plus, it does HTTPS via Let's Encrypt automatically.
Caddy definitely makes config easier. But to be fair, the use of multiple files for nginx is purely a convention and has nothing to do with the system itself. Both Nginx and Caddy will support single or multiple files. Just one's ecosystem encourages one way, and the other encourages another. It's always up to you in the end.
-
@scottalanmiller said in Caddy vs. Nginx:
@VoIP_n00b said in Caddy vs. Nginx:
It's nice to only have 1 configuration file compared to the 30 some odd I had with nginx. Plus, it does HTTPS via Let's Encrypt automatically.
Caddy definitely makes config easier. But to be fair, the use of multiple files for nginx is purely a convention and has nothing to do with the system itself. Both Nginx and Caddy will support single or multiple files. Just one's ecosystem encourages one way, and the other encourages another. It's always up to you in the end.
Right, just because you did it one way does not mean that it was the only way.
-
@VoIP_n00b said in Caddy vs. Nginx:
Plus, it does HTTPS via Let's Encrypt automatically.
That would be fucking horrible. I rarely want LE on anything I am using with a reverse proxy. Most of that should be on a Cloudflare origin certificate.
-
@VoIP_n00b said in Caddy vs. Nginx:
I love how simple the configuration is when using a Cabbyfile:
Assumptions by my software stack suck ass. Yes, I want various security headers set, etc.
I make a generic config file for that with Nginx that gets included in all the site specific config sections. For most, it needs nothing else. But still, they are my settings.
-
@scottalanmiller said in Caddy vs. Nginx:
the use of multiple files for nginx is purely a convention
Specific to my guides which I know he followed...
I stated in those that I do it on purpose. I do not like to have one large config file to edit for everything.
Instead I prefer to edit a single small file per site. So if the damned thing does not start, I know which file to quickly remove, restart the service so everything else is not down, and then redo WTF ever I screwed up.
Can you do the same/similar with a single file? Sure. Just have to keep copies, etc. Simply a different process.
-
@JaredBusch said in Caddy vs. Nginx:
I stated in those that I do it on purpose. I do not like to have one large config file to edit for everything.
I agree, I prefer the conventional way. It was done that way for a reason, to make it easier for admins to work on the system. It makes it easier for tools like Ansible, too. Or easier for the person setting up Ansible, I should say.
-
@scottalanmiller said in Caddy vs. Nginx:
@JaredBusch said in Caddy vs. Nginx:
I stated in those that I do it on purpose. I do not like to have one large config file to edit for everything.
I agree, I prefer the conventional way. It was done that way for a reason, to make it easier for admins to work on the system. It makes it easier for tools like Ansible, too. Or easier for the person setting up Ansible, I should say.
Right, because I do not use a reverse proxy for a single system anywhere. If I need a RP, that is because I have multiple systems behind it.
I mean sure there can be an exception where I use it for a single system. Like the demo NodeBB setup I have for our company. It is on a Vultr Instance with Nginx on the same instance for that specific app. But it still uses a Cloudflare Origin Cert.
-
@JaredBusch said in Caddy vs. Nginx:
Right, because I do not use a reverse proxy for a single system anywhere. If I need a RP, that is because I have multiple systems behind it.
I actually do that a bit, mostly just for standardization so I know to look for nginx or whatever proxy for certain functions and don't have to worry if it's a single use or multi-use system.
-
@JaredBusch said in Caddy vs. Nginx:
Yes, I want various security headers set, etc.
Caddy gets an A out of the box on ssllabs.com
-
@JaredBusch said in Caddy vs. Nginx:
You have to compile yourself if you want to use commercially.
This is not something I will ever want to use because of that.
Yeah that's kinda lame, but not a deal breaker. Nginx has to be compiled for more advanced use cases like WAF or certain HAProxy features.
It's a bit of a bitch, but once you script it. It isn't too bad to do upgrades going forward.
-
@VoIP_n00b said in Caddy vs. Nginx:
@JaredBusch said in Caddy vs. Nginx:
Yes, I want various security headers set, etc.
Caddy gets an A out of the box on ssllabs.com
But they wouldn't see it, right? Because you'd still have CloudFlare in front of it. So while it gets an A, what does that matter?