Sakai 25 Patch Highlights: October 2025 →
Migrating from Nginx to Caddy
April 23, 2025 Open Source

Migrating from Nginx to Caddy

Switching from Nginx? Caddy offers a simpler, more secure way to manage reverse proxies, especially for setups like Tomcat load-balancing. Learn how its Go-based design and strong community support can benefit your stack.

Why Consider Caddy Over Nginx?

  • Simpler Configuration: Caddy uses an intuitive, declarative syntax (the Caddyfile), which often means less nesting and complexity compared to Nginx configs.
  • Single Binary Deployment: Built with Go, Caddy is distributed as a single executable file, simplifying deployment as there are no external dependencies or modules to manage separately.
  • Automatic HTTPS by Default: Caddy handles TLS setup automatically, obtaining certificates from Let’s Encrypt and enabling features like OCSP stapling, HSTS, and HTTP/2 without extra configuration.

From Boilerplate to Brevity: An Example

Let’s compare a basic load-balancing setup.

Nginx Example

http {
  upstream tomcats {
    server tomcat1:8080;
    server tomcat2:8080;
  }

  server {
    listen 80;
    server_name example.com;
    location / {
      proxy_pass http://tomcats;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
  }
}

Caddyfile Equivalent

example.com {
  reverse_proxy tomcat1:8080 tomcat2:8080
}

Notice the lack of http {} blocks or explicit listen directives. Caddy infers much of the setup from the domain and backend targets.

The Benefits of Go

  • Performance: Go’s concurrency model (goroutines) and native HTTP/2 support contribute to Caddy’s efficient handling of concurrent connections.
  • Extensibility: Caddy’s architecture allows for plugins (written in Go) to add features like custom authentication, rate-limiting, or caching, often without requiring server restarts.

A Responsive Open-Source Community

  • Active Development: Caddy sees frequent releases with updates and security patches.
  • Engaged Forums & GitHub: Discussions and contributions are actively reviewed.
  • Rich Ecosystem: A growing number of community plugins integrate Caddy with tools like JWT, Datadog, Prometheus, and more.

Our Contributions

We’ve also contributed back to the Caddy project:

  • Enhanced Health Checks: We helped add configurable pass/fail thresholds for active health checks, allowing for more precise control over backend availability (#6154).
  • Improved Cookie Security: We worked on ensuring reverse proxy cookies align with modern security practices by automatically setting Secure and SameSite=None attributes when TLS is used (#6115).

Strong Security Defaults

Caddy’s default TLS configuration aims for current best practices. Sites typically achieve a high score on SSL Labs tests out-of-the-box, without needing manual cipher suite adjustments.

Load-Balancing Tomcats Example

example.com {
  reverse_proxy {
    to tomcat-app-{1..3}:8080
    lb_policy round_robin
    health_interval 10s
    health_timeout 2s
  }
}
  • Automatic Health Checks: Caddy can automatically detect and route around unresponsive Tomcat nodes.
  • Load Balancing Policies: Options include round-robin, least connections, random weighted, and others.

Migrating to Caddy can simplify your reverse-proxy configuration and management while maintaining strong security defaults. If you’re looking for a more streamlined approach, Caddy is worth considering.

Related Articles

Ready to transform your educational technology?

Whether you're a small school, an educational startup, or a large institution, our open-source solutions can be tailored to meet your specific needs and budget.

Get in Touch
Learn More