Migrating from Nginx to Caddy
Caddy can make reverse proxy and Tomcat load-balancing setups shorter, easier to maintain, and secure by default.
Why Consider Caddy Over Nginx?
- Simpler Configuration: Caddy uses a declarative Caddyfile, which often means less nesting than an Nginx config.
- Single Binary Deployment: Caddy ships as one executable, so deployments do not need separate modules or runtime dependencies.
- Automatic HTTPS by Default: Caddy handles TLS setup, obtains Let’s Encrypt certificates, and enables OCSP stapling, HSTS, and HTTP/2 without extra configuration.
From Boilerplate to Brevity: An Example
Let’s compare a basic load-balancing setup.
Nginx Example
http {
upstream tomcats {
server tomcat1:8080;
server tomcat2:8080;
}
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://tomcats;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
Caddyfile Equivalent
example.com {
reverse_proxy tomcat1:8080 tomcat2:8080
}
Notice the lack of http {} blocks or explicit listen directives. Caddy infers much of the setup from the domain and backend targets.
The Benefits of Go
- Performance: Go’s goroutines and native HTTP/2 support help Caddy handle concurrent connections efficiently.
- Extensibility: Go plugins can add custom authentication, rate-limiting, caching, and other server behavior.
A Responsive Open-Source Community
- Active Development: Caddy sees frequent releases with updates and security patches.
- Engaged Forums & GitHub: Discussions and contributions are actively reviewed.
- Rich Ecosystem: A growing number of community plugins integrate Caddy with tools like JWT, Datadog, Prometheus, and more.
Our Contributions
We’ve also contributed back to the Caddy project:
- Enhanced Health Checks: We helped add configurable pass/fail thresholds for active health checks, which gives operators better control over backend availability (#6154).
- Improved Cookie Security: We helped Caddy set
SecureandSameSite=Noneon reverse proxy cookies when TLS is used (#6115).
Strong Security Defaults
Caddy’s default TLS configuration aims for current best practices. Sites typically achieve a high score on SSL Labs tests out-of-the-box, without needing manual cipher suite adjustments.
Load-Balancing Tomcats Example
example.com {
reverse_proxy {
to tomcat-app-{1..3}:8080
lb_policy round_robin
health_interval 10s
health_timeout 2s
}
}
- Automatic Health Checks: Caddy can automatically detect and route around unresponsive Tomcat nodes.
- Load Balancing Policies: Options include round-robin, least connections, random weighted, and others.
Migrating to Caddy can shorten reverse-proxy configuration and keep strong security defaults. It is worth evaluating when you choose a load balancer or reverse proxy.