Caddy seems to good to be true? I just set it up and it works perfect, straight out of the box

I would not directly expose Jellyfin to the Internet (including reverse proxy) because of security issues they've had. And no, a reverse proxy (like Caddy) doesn't usually add much insecurity or security^.

The thing I currently do is use forward_auth w/ Authelia (from anywhere, you could also use basic_auth though the UX sucks) but bypass it for the app in private IP ranges (aka at home or in VPN):

jellyfin.example {
        @notapp {
                not {
                        header User-Agent *Jellyfin*
                        client_ip private_ranges
                }
        }

        forward_auth @notapp localhost:8080 {
                uri /api/verify?rd=https://authelia.example/
        }
        reverse_proxy 192.168.1.44:8080
}

Apps get to continue working, and I can access it from my phone without a VPN setup (because it's annoying and I only look at metadata on my phone anyway).

You can also do a simpler config (which I used to do) where you just give an HTTP Unauthorized for anything outside of private ranges (this lets you do the HTTP challenge for a certificate while still not exposing Jellyfin to the general internet).

^You can configure more security by doing authentication in the reverse proxy so that anyone trying to attack services behind it must first authenticate with the reverse proxy, but this is not the default. Security-wise this ends up similar to forcing all access through a VPN first, if a little harder to setup.

2

The documentation it's surprisingly bad at explaining common patterns of use.

It is also a bit thicker compared to nginx or HAproxy.

1

Caddy maintainer here, which patterns are you confused about?

What do you mean by "thicker"? I don't think I agree but I'm not sure what you mean.

1
Really? My experience was the opposite. I found everything I needed intheir docs rather quickly.

I guess it's true they don't have as many basic examples as nginx, but I'd take their lack of example over the mess an nginx config can become any day.

1
- Maybe just cause I'm still learning this stuff but I found the docs fairly challenging to comprehend too. Now that I get the basics though, it's pretty easy looking back
  
  2
Totally agree.

The main problem is it's all written as a reference -- for people who already understand what/how, who need to just refresh their memory of the actual syntax.

There's very little explanatory stuff for people who need more than that. I had to read the same stuff multiple times, traversing many (or often, the same!) links, make notes, and then form a mental picture of what is going on.

1
- Caddy maintainer here, if you could point to specific sections you find confusing, that would help. We rarely receive actionable feedback about the docs, so it's hard for us to make improvements.
  
  1

Caddy is very basic, and thats why it works so easily. There is nothing wrong with it.

However it lacks some features that other reverse proxies offer. But if you dont need any of those, use Caddy.

Additional security? Not directly. But fail2ban and CrowdSec are easily set up too. And Caddy also combines very well with Authelia for authentication.

1

I'm wondering what those features are? What are the top 2 features you use most that are missing in Caddy? I used to go to nginx by default, but I switched to Caddy recently and I'm wondering what hurdles I'm setting up for myself.

0

It just runs... Two years straight. Some more services since start of caddy... No worries.

Recently added auth with authelia... Still straight forward.

Easy setup, always online. That's it. Period.

1

I switched from Traefik to Caddy a few years ago and have no ragrets. The only complaints I have about Caddy:

It doesn't support configuring virtual hosts automatically via docker labelsl (like Traefik).
Many features (like DNS auth for certs) require compiling Caddy. Which is easy but annoying.

1

If you are using Docker, check out this repository for Caddy builds with different plugins https://github.com/serfriz/caddy-custom-builds

1
- Nice!
  
  1
Random question from a noobie…. Why do you use something like Traefik versus something like Cloudflare Zero Access? (Again sorry if question is dumb). I’m just a new guy to this learning as I go and after getting up zero access with a $8 domain and now being able to securely access everything via subdomains it seems confusing why apps like Traefik are still so popular? I know I’m missing something there but hoping someone points it out.

1
- Because this is r/selfhosted. :-)
  
  1
Anyone know if Caddy would be a good pick for a reverse proxy on a public subnet to distribute traffic to a bunch of subdomains in low traffic settings? I figure it could be a single source for all HTTPS stuff in my stack.

Or is it really just for like single applications running through Docker? Sorry, I haven’t played with it too much.

1
- Yes, it excels at that usecase. Caddy will automatically set up and manage certificates for each subdomain.
  
  1
I use Caddy and agree with your last point in the context of Crowdsec

1
It doesn't support configuring virtual hosts automatically via docker labelsl (like Traefik).

Here you go: https://github.com/lucaslorentz/caddy-docker-proxy. No more extra Caddy configuration file.

1
- Whoa, just when I thought I had completed my setup haha
  
  1
You mean using dns providers like cloud flare?

It’s very easy just don’t this

caddy add-package github.com/caddy-dns/cloudflare

1
I wrote something that can setup caddy automatically from docker labels.

It's not well documented as I mostly wrote it for myself. https://hub.docker.com/r/mheys1/docker-dynamic-caddy https://github.com/mattheys/ddc

It basically acts like a DNS server serving up SRV records that caddy can use for dynamic configuration, I added in an on_demand_tls endpoint as well so that you don't get spammed for non existent TLS records.

1
I have not tested it, but someone did auto discovery for caddy

https://github.com/lucaslorentz/caddy-docker-proxy

1
Don't hate me but I use Apache2, why would use caddy?

1
- I used Apache for many years. It’s great! But Caddy is simpler, easier and lighter weight.
  
  1

Lack of docker labels is a downer, but it’s the best reverse proxy I have used. Recently started a project to run containers with caddy

https://github.com/scmmishra/slick-deploy

1

I hope you're aware of https://github.com/lucaslorentz/caddy-docker-proxy ?

1

It's no different than NGiNX, put in your config and it just works.

1

Caddy is a great, easy web server. It honestly has some pretty good performance too. If you want to see some good tests against nginx, take a look at this:

https://blog.tjll.net/reverse-proxy-hot-dog-eating-contest-caddy-vs-nginx/

tldr: Optimized nginx does outperform caddy in some areas in under heavy load, and they have a completely different strategies to handle failure. Under very heavy load Nginx just starts dropping and refusing connections to keep itself fast, while caddy will dramatically slow down response times in order to keep failures from happening.

1

I started with caddy because it seemed to have the least complex config file even though the documentation lacks examples which I found really annoying when troubleshooting or trying any less basic stuff. I also found certificate related issues really hard to fix.

Now I run nignx-proxymanager as a docker-container which unifies nearly all services into portainer for updating therefore making it easier to keep my stuff up to date. nginx-proxymanager is also much easier imo on the certificate side of things. I create wildcard certificates for a few domains and select the right one depending on the proxy I add. I also use forwards for a few of my shelly-devices which don't seem to work with proxies and make it easier for me to access them via a domain instead of memorizing a growing number of IPs.

1

It is a simple layer 7 proxy and nothing more. It is the simplest so it works. As a comparison, almost all other reverse proxies can handle layer 4 traffic.

and I don't miss the label feature of traefik at all. centralized config for an entrance gateway is so much easier to maintain and find security flaws. I think labeling would be useful only in production clusters with thousands of microservices that you absolutely need the reverse of control to get away from dependency hell. Otherwise, I advice against using such feature, not even with a caddy plugin. (I mean if you really need it, why not just use traefik...)

1

After using Nginx for almost a decade, Caddy is pretty damn awesome regarding how simple it is. I don't need 8-10 lines of code to setup an SSL secured reverse proxy, I need three.

1

been running my reverse proxy on caddy from last 4-5 years. No issues at all. No maintenance needed. Setup and forget. Just needs a simple config file. Auto certificate generation.

1

Can somebody explain in plain English what it is used for?

1

Caddy is an http server, often used as a reverse proxy. It’s particularly useful for TLS termination and automatic TLS certificate management.

1
It sits in charge of your ports 80/443 and decides to which webserver it sends traffic. If to your jellyfin, or your nextcloud, or your uptimekuma, or your vaultwarden or your mealie or your dashboard...

unlike others it automaticly do https certificate for you and its config is really clean and readable which is nice.

Heres how to set it up if you wanna try.

0
- Cool! Thanks!
  
  1

Been using it for a few years now, and yeah, it's just that simple.

I have 443 open and pointing at my Caddy instance, it handles everything else.

1

What is it? Is it an alternative to unraid?

1

https://caddyserver.com/

1
No, it’s a web server and reverse proxy.

It automatically adds HTTPS using let’s encrypt certificates.

1

How do you compare Caddy with nginx proxy manager?

1

Id say npm is 10x better than caddy

1
npm is nice for people who want easy web gui to configure stuff

caddy makes me feel more in control, its easier to backup too, since its all in one easy and readable config, and probably has more features as you go with your needs

There is also not that layer of which developer fucked up that you get when projects are projects of projects...

1

Used Caddy for years and after a week of Nginx Proxy Manager I never went back to Caddy.

1

Strange, I never quite got why ever would i want to swtich to NPM, tried it and never liked it...

I ssh in and edit my caddyfile faster than I go to npm web interface and click through menus. I actually can just copy paste caddyfile config and have backup of it, while I am not even sure if npm has any backup solution by now, or you just suppose to backup on docker level.

And it is kinda in the way, a gui layer if you wanna do something more..

1

there are some trade offs, mostly performance

1

it is what you mean...no less no more...Caddy rocks...

1

Caddy is great, been using it for a long time and made the switch from v1 to v2. The biggest negative, IMO, is that examples are usually for NGINX. This is fine if all you have to do is to translate the nginx 5-liner into a Caddy 1-liner, but for nextcloud, the code was a bit more complicated and required some googling (as people had that issue before and their forums are helpful).

LLMs can also be useful for translating nginx directives to caddy.

1

I would like to jump over to it. I have been struggling with Nginx and Apache and I am afraid I have made a mess of things. I am installing on an old Mac Mini with Mac OS so I don't really have a way to isolate and remove Nginx and Apache and I have a feeling if I try Caddy I will get some interferences.

0

Try it, heres a decent guide with lot of examples.

1