Planning to switch from Nginx reverse proxy to Caddy - will i miss or regret anything?
Posted by domanpanda@reddit | linuxadmin | View on Reddit | 46 comments
xdriver897@reddit
May I ask why you want to switch?
domanpanda@reddit (OP)
I already explained it in description: because i could not get 2 or 3 sites working with nginx.
Also because Caddys configs look simpler and it supports TLS autorenewal with DNS challenge.
djbiccboii@reddit
nginx is pretty easy to get set up with multiple sites and integrates well with certbot so is also automated. just food for thought.
NetworkPIMP@reddit
no food needed... caddy is easier... nginx is a dinosaur now... grow up
domanpanda@reddit (OP)
I know that ive been using nginx for years. I explained it all in original post.
lighthawk16@reddit
Having used Caddy, Traefik, and now settling on NPM... NPM is by far the most documented and simple to administrate.
domanpanda@reddit (OP)
Again: i explained in post why i dont want to use NPM
lighthawk16@reddit
Sure, but it still doesn't change facts.
domanpanda@reddit (OP)
Well im not interested about facts because i can google them. I made this topic because of specific reasons which i explained.
MaxHedrome@reddit
npm? I have to ask the stupid question, because I assume yall are not talking about the node package manager.
MaxGhost@reddit
They mean "Nginx Proxy Manager".
whalesalad@reddit
I wouldn't leave nginx unless you have a compelling reason to do so. It is a widely used, popular powerhouse for a reason. I also find it to be more configurable with better documentation and community debug stories than caddy. I don't particularly like caddy, aside from the fact that it does certs out of the box so I use it sometimes as a little shim in development/debug scenarios but for real production workloads I would opt for nginx without a doubt.
domanpanda@reddit (OP)
Hmm it seems that shared posts does not show the content on mobile apps - only title … effing reddit …
Anyway in my original post i explained that i had 3 sites which i just could not get to work with nginx. I spent some hours on them and i gave up. Recently i played arround with Caddy and tested also those sites - and worked with both of them with just 4 or 5 lines of config. So yea thats why after years of using nginx i decided to switch to Caddy.
symcbean@reddit
In both cases, http goes in the front, http comes out the back. If something's not working with nginx then its fixable.
> and it supports TLS autorenewal with DNS challenge
Failing to adhere to the Unix philosophy would be a black mark on my book not a benefit. Particularly if it involved installing some contributed software from a mystery third-party.
domanpanda@reddit (OP)
You're more than welcome to help if you can. Please be my guest:
https://www.reddit.com/r/homelab/comments/17yxyr3/nginx_proxy_shows_login_page_for_my_switch_but/
https://www.reddit.com/r/homelab/comments/17yxyr3/nginx_proxy_shows_login_page_for_my_switch_but/
Coolbsd@reddit
Search for Netgear nginx took me to https://www.reddit.com/r/nginx/s/ueVlTsCCFr, seems lots of successful stories there, original post was 3 years ago, latest good result seems to be 3 months ago, have you tried?
domanpanda@reddit (OP)
Yes i have, i mentioned about it in my post which nobody replied to.
https://www.reddit.com/r/homelab/comments/17yxyr3/nginx_proxy_shows_login_page_for_my_switch_but/
a_a_ronc@reddit
You lost me here TBH. If you go to the Caddy website, right now, Documentation is literally the first thing in the header. The navigation has all the stuff you want and gets out of the way. Want hand holding and common patterns? They got that. Need a tutorial? They got that. Just want a list of all the directives? They got that.
If you just use a search engine, you’ll likely end up on nginx.com which has little documentation and is solely focused on selling you stuff. Then you’ll realize you want a different website, which looks barebones. You’re likely confusing “has more blogs and StackOverflow answers” with better docs.
As for “more configurable” I’d also disagree. Caddy can do either file based config “Caddyfiles” or dynamic configuration out of the box. On NGINX that requires a paid subscription. You can literally also compile and build your own binary with just the modules you need. This can help shrink binary and container size or just reduce attack surface.
temotodochi@reddit
Nginx does not require subscription for dynamic config. You can do a rest api controlled Nginx with help from apisix.
a_a_ronc@reddit
Didn’t know that, but doesn’t change my opinion. You have to figure out how to bundle two systems together rather than just using one that does the same thing simpler.
temotodochi@reddit
If i understood correctly caddy is HTTPS proxy? If so, it covers maybe 5% of what Nginx is capable of.
a_a_ronc@reddit
Caddy has its core and then the ability to be extended with apps, which can all be found here: https://caddyserver.com/download
I’m unsure on UDP since I don’t deal with it, but you can turn it into a S3 Gateway, an OpenAPI responder, execute shell commands from an HTTP request, sideload a PHP app server, etc. It’s all there. If not, it can be made.
temotodochi@reddit
But raw TCP and UDP seem to be an issue as caddy does not really work on that network layer by default.
gnosys_@reddit
ya, you'll miss the license that lets you use it for free
-quakeguy-@reddit
I really love how the entirety of caddy config for a single site is usually a grand total of 2-3 lines and that’s it. Theres a lot to be said about sane defaults that are always there, but out of the way of cluttering your config.
Old-Assumption4984@reddit
I use Apache and it's always worked very well, both for static content and as a reverse proxy.
temotodochi@reddit
Apache is pretty bad as a proxy and traffic shaper. UDP support is lackluster.
domanpanda@reddit (OP)
Ive been using it long time ago when i dealt with LAMP stack very often and I always hated its XMLish syntax. Switching to nginx was a breath of fresh air for me.
1esproc@reddit
Your question should be why should I switch, not why should I stick with Nginx.
domanpanda@reddit (OP)
You probably use mobile device to read my post so you dont see the description. For me its a lesson to not use sharing posts function.
Please click the link to original post - it's explained there.
kevdogger@reddit
I would say it would depend. I'm not familiar that much with caddy as much as I am with traefik however depending on application there are times it requires certain headers to be passed and it's just damn easier to use nginx or swag to do it. The one off the top of my head would be running a syncthing discovery server...way easier if using nginx.
domanpanda@reddit (OP)
Hmm so maybe the best idea would be to keep both of them? Only cert renewal would require little bit more scripting.
Whitestrake@reddit
If you're looking to keep things neat, you can actually have Caddy itself renew all the certs, including the ones you aren't actually planning to use Caddy to serve.
Then, you can use the
caddy-events-execplugin to notify/reload other services that rely on the certs Caddy is managing. That keeps all your certificate management in a single place.That said, headers are pretty easy to wrangle in Caddy, like, really really easy. It can handle your wildcard too with the
caddy-dns/cloudflaremodule.Getting Caddy with those two modules is as straightforward as ticking the boxes for those on the download page, or building it using the Caddy docker
builderhelper (see "Adding custom Caddy modules").If you use Compose, you can even specify the Dockerfile inline now! Which I really love, it's very neat. My custom Caddy build looks like this:
The
lucaslorentz/caddy-docker-proxygives it capabilities similar to Traefik in terms of using container labels to dynamically proxy stuff that I put in theproxynetwork, so I don't even use a Caddyfile at all. Justdocker compose build caddyand you're up to date.domanpanda@reddit (OP)
I love your comment! Saved it! Thank you!
kevdogger@reddit
Possibly depending on your setup. I maintain both traefik, nginx and one ha proxy. For the nginx proxies I use acme.sh for certs with dns cloudflare challenge which really cuts down the amount of scripting..can use either nginx plugin or just use post hook renew command which references a script that would restart the nginx server after renewal. I'm partial however to traefik dashboard since I visually can confirm routes and setup..does caddy have something similar? I'm aware you can just look at log files and such but sometimes have a gui is nice
domanpanda@reddit (OP)
By scripting i ment cert propagation (copying) because i use wildcard anyway.
kevdogger@reddit
Yea I get it. Will need some scripts or ansible routine. All a little annoying
broknbottle@reddit
Nginx is easy especially if you’ve dealt with Apache. Caddy 2 is the shit and definitely config is simpler but that is only once you figure out config that you need and build up a snippet warchest. Caddy’s documentation is hands down the worst especially right after the caddy v1 to caddy v2 release. Every example etc was still caddy v1 and things were very hit or miss for quite some time
prairievoice@reddit
I've been migrating everything to Caddy, but we issue our own certs using acme.sh and letsencrypt, and reload the caddy config when we update something.
MaxGhost@reddit
Why?
prairievoice@reddit
When we set up our servers, there was no support for our DNS provider to issue wildcard certs, but now your question has prompted me to revisit it and I see there is a 3rd party implementation that supports our DNS provider... I'm going to have to give it a try and see how it goes.
-eschguy-@reddit
Love me some Caddy.
Caddy666@reddit
pity more people don't, tbh.
that_czech_dude@reddit
Caddy is imho the future, it's got all batteries includes and when it's going to get k8s ingress parity with nginx, or anything similar to nginx-proxy-manager, it will be unstoppable.
You can literally leave caddy running for years and just update it with package manager and not worry about TLS certs anymore. That stability is not guaranteed with certbot, it's just yet another daemon service you need to take care of and it broke for me multiple times.
Much love to mholt and his team
Caddy666@reddit
aww, thanks, dude.
MaxGhost@reddit
include statements -> snippets: https://caddyserver.com/docs/caddyfile/concepts#snippets
allow/deny statements ->
remote_ipmatcher +abortorrespondorerrordirectives: https://caddyserver.com/docs/caddyfile/matchers#remote-ipbaseauth ->
basicauthdirective: https://caddyserver.com/docs/caddyfile/directives/basicauthwebsocket proxying ->
reverse_proxysupports this by default, nothing to configurecertificate verification -> do you mean "client auth"? If so yes via
tlsdirective config. But not sure what you mean here.disabling proxy buffering -> depending on the upstream's headers, immediate-flushing will be on by default, but there's options for that anyway if your upstream is doing something weird: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#streaming