Migrating from Nginx to Caddy
Switching from Nginx? Caddy offers a simpler, more secure way to manage reverse proxies, especially for setups like Tomcat load-balancing. Learn how its Go-based design and strong community support can benefit your stack.
Why Consider Caddy Over Nginx?
- Simpler Configuration: Caddy uses an intuitive, declarative syntax (the Caddyfile), which often means less nesting and complexity compared to Nginx configs.
- Single Binary Deployment: Built with Go, Caddy is distributed as a single executable file, simplifying deployment as there are no external dependencies or modules to manage separately.
- Automatic HTTPS by Default: Caddy handles TLS setup automatically, obtaining certificates from Let’s Encrypt and enabling features like OCSP stapling, HSTS, and HTTP/2 without extra configuration.
From Boilerplate to Brevity: An Example
Let’s compare a basic load-balancing setup.
Nginx Example
http {
upstream tomcats {
server tomcat1:8080;
server tomcat2:8080;
}
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://tomcats;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}Caddyfile Equivalent
example.com {
reverse_proxy tomcat1:8080 tomcat2:8080
}Notice the lack of http {} blocks or explicit listen directives. Caddy infers much of the setup from the domain and backend targets.
The Benefits of Go
- Performance: Go’s concurrency model (goroutines) and native HTTP/2 support contribute to Caddy’s efficient handling of concurrent connections.
- Extensibility: Caddy’s architecture allows for plugins (written in Go) to add features like custom authentication, rate-limiting, or caching, often without requiring server restarts.
A Responsive Open-Source Community
- Active Development: Caddy sees frequent releases with updates and security patches.
- Engaged Forums & GitHub: Discussions and contributions are actively reviewed.
- Rich Ecosystem: A growing number of community plugins integrate Caddy with tools like JWT, Datadog, Prometheus, and more.
Our Contributions
We’ve also contributed back to the Caddy project:
- Enhanced Health Checks: We helped add configurable pass/fail thresholds for active health checks, allowing for more precise control over backend availability (#6154).
- Improved Cookie Security: We worked on ensuring reverse proxy cookies align with modern security practices by automatically setting
SecureandSameSite=Noneattributes when TLS is used (#6115).
Strong Security Defaults
Caddy’s default TLS configuration aims for current best practices. Sites typically achieve a high score on SSL Labs tests out-of-the-box, without needing manual cipher suite adjustments.
Load-Balancing Tomcats Example
example.com {
reverse_proxy {
to tomcat-app-{1..3}:8080
lb_policy round_robin
health_interval 10s
health_timeout 2s
}
}- Automatic Health Checks: Caddy can automatically detect and route around unresponsive Tomcat nodes.
- Load Balancing Policies: Options include round-robin, least connections, random weighted, and others.
Migrating to Caddy can simplify your reverse-proxy configuration and management while maintaining strong security defaults. If you’re looking for a more streamlined approach, Caddy is worth considering.
