Open source server simplifies HTTPS, security certificates

Forget expired TLS certificates; the lightweight Caddy web server handles Let's Encrypt certificates and redirects HTTP traffic by default

Open source server simplifies HTTPS, security certificates
Martyn Williams/IDGNS

For administrators seeking an easier method to turn on HTTPS for their websites, there is Caddy, an open source web server that automatically sets up security certificates and serves sites over HTTPS by default.

Built on Go 1.7.4, Caddy is a lightweight web server that supports HTTP/2 out of the box and automatically integrates with any ACME-enabled certificate authority such as Let’s Encrypt. HTTP/2 is enabled by default when the site is served over HTTPS, and administrators using Caddy will never have to deal with expired TLS certificates for their websites, as Caddy handles the process of obtaining and deploying certificates.

Securing all web content over HTTPS is now a necessary step to keep all online communications and transactions secure and private from malware, targeted attacks, and surveillance. Obtaining security certificates and setting up the certificates have been traditionally difficult, but that is beginning to change due to several new tools and services designed to improve certificate management.

For example, cloud security company CloudFlare issues security certificates to all websites using its service. Free certificate authority Let’s Encrypt provides security certificates and deployment tools so that anyone can set up their websites to use HTTPS. The hard part left is setting up the web server and configuring it correctly to work with the certificate—Let’s Encrypt has taken care of that, too. Caddy further simplifies the task as it automatically configures HTTPS via free Let’s Encrypt certificates.

Caddy redirects non-HTTPS traffic to HTTPS by default. The administrator doesn't have to use Let’s Encrypt certificates to get the same benefits. The web server also takes care of periodically rotating TLS session keys, which helps preserve perfect forward secrecy; even if keys are inadvertently exposed, they cannot be used to decrypt older encrypted sessions.

While intended to be a static file web server, Caddy can serve up dynamic PHP through FastCGI. It can also be used inside a Docker container. It can also be extended with new features, with add-ons for Prometheus metrics, IP filtering, search, Cross Origin Resource Sharing, and JSONP, to name a few.

Because Caddy is written in Go, it's cross-platform and works the same across operating systems, including Windows, Mac, Linux, BSD, and Solaris. Caddy’s developers avoided using certain libraries that aren’t always available on Windows systems, ensuring that critical Caddy features don’t get locked into specific operating systems. 

Don’t make the mistake of thinking Caddy will dislodge Nginx or Apache from enterprise networks anytime soon—the project is suitable for quick prototyping, test environments, and internal applications.

Caddy has been around for more than a year, and its latest version, 0.9.4, added new features such as support for statically compressed .gz or .br files and the ability to specify multiple back ends to a single FastCGI proxy for basic load balancing. The new version also picked up the option to customize TLS curve preferences and support Must-Staple on managed certificates.

When it comes to security, enterprises often shy away from open source projects because of the trust factor. There is always the question of support, whether the project will continue to be actively maintained and supported, but the more pressing question is whether the security components can be trusted. Security projects, in particular, benefit from an independent security audit since it identifies potential issues and confirms that the underlying security foundation is sound. Caddy could benefit from having an audit—but those assessments can get expensive.

Caddy is still in its infancy compared to enterprise favorites such as Apache, IIS, and Nginx, but the project is already getting big-name support from Mozilla. Caddy was one of the nine open source projects supported by Mozilla Open Source Support (MOSS), which provides funding for “open source projects that contribute to our work and the health of the Web.” Of the $545,000 Mozilla set aside for MOSS, Caddy received $50,000. The award was earmarked for adding a REST API, improving the Web UI, and developing new documentation to make it easier to deploy more services with TLS.

Copyright © 2017 IDG Communications, Inc.

InfoWorld Technology of the Year Awards 2023. Now open for entries!