Caddy (web server)

Caddy
Original author(s) Matthew Holt
Initial release 28 April 2015 (2015-04-28)
Stable release
0.9.2 / 20 September 2016 (2016-09-20)
Repository github.com/mholt/caddy
Development status Active
Written in Go[1]
Operating system Android, BSD variants, Linux, OS X and Windows
Type Web server, reverse proxy server
License Apache 2
Website caddyserver.com

Caddy, sometimes clarified as the Caddy web server, is an open source, HTTP/2-enabled web server written in Go. It uses the Go standard library for its HTTP functionality.[1]

One of Caddy's most notable features is enabling HTTPS by default.[2][3][4] It is the first general-purpose web server to do so without requiring extra configuration.[5]

The author, Matt Holt, began developing Caddy in December 2014 and released it in April 2015.[6] In the year following its release, it was downloaded over 20,000 times and received 4,500 stars on GitHub.[7]

Caddy supports a variety of Web technologies and is available as statically-compiled binaries for Windows, Mac, Linux, Android, and BSD operating systems on i386, amd64, and ARM architectures.

Capabilities

A variety of web site technologies can be served by Caddy, which can also act as a reverse proxy and load balancer. Most of Caddy's features are implemented as middleware and exposed through directives in the Caddyfile (a text file used to configure Caddy).[8]

Security

Caddy is not vulnerable to a number of widespread CVEs including Heartbleed, DROWN, POODLE, and BEAST.[13] In addition, Caddy uses TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.

On June 2, 2015, version 0.7.1 was released to patch a vulnerability to timing attacks in Caddy's basic authentication middleware.[14]

With regards to protocols and cipher suites, Caddy uses TLS 1.0-1.2 and prefers ECDHE ECDSA with AES256 GCM SHA384, although a dozen different ciphers are supported. Caddy has also been used by Cloudflare as a platform to serve an experimental TLS 1.3 implementation.[15]

Traditional privilege de-escalation as performed in C programs is non-trivial in Go programs.[16] In order to bind ports lower than 1024, Caddy must be run as root (not recommended) or given capabilities to bind to low ports using setcap (recommended). However, an alternate method of dropping privileges that involves spawning an unprivileged child process will likely be implemented in a future version.[17]

Caddy does not automatically enable HTTP Strict Transport Security; it is recommended that users enable HSTS using Caddy's header directive.[18]

Automatic HTTPS

Caddy activates HTTPS by default for sites with qualifying domain names (names for which a TLS certificate can be negotiated via the ACME protocol), and redirects HTTP requests to HTTPS.[19] It obtains certificates as needed during startup and keeps them renewed during the lifetime of the server. Let's Encrypt is the default certificate authority, but the user may customize the ACME CA that is used, which is often necessary when testing configurations. As of Q1 2016, Caddy accounted for about 2% of certificates issued by Let's Encrypt.[20]

An alternate configuration allows Caddy to obtain certificates only as needed during TLS handshakes rather than at startup, a feature dubbed "On-Demand TLS."[21] To enable this feature, the user must specify a maximum number of certificates that can be issued this way. When Caddy receives a request for a hostname for which it does not yet have a certificate, it will negotiate a new certificate via ACME and serve it immediately, while caching the obtained certificate in memory and storing it on disk. This process usually takes a few seconds, and is subject to tight rate limits.[21]

When serving TLS, Caddy will automatically rotate session ticket keys periodically to help preserve perfect forward secrecy.[22]

References

  1. 1 2 Gerrand, Andrew (17 February 2016). "Go 1.6 is released". golang.org. Retrieved 5 March 2016.
  2. Johnson, Brad (23 February 2016). "A Better Web Server with Free SSL". VolumeLabs.net. Retrieved 5 March 2016.
  3. "Automatic HTTPS with Caddy Server". 18 December 2015. Retrieved 5 March 2016.
  4. Aas, Josh (12 February 2016). NYLUG Presents: Josh Aas on Let's Encrypt: A Free, Automated, and Open CA. Bloomberg. 32 minutes in.
  5. Dmitry Chestnykh [dchest] (17 December 2015). "Caddy is the first general-purpose web server to default to HTTPS without user intervention (using Let's Encrypt)" (Tweet) via Twitter.
  6. "Show HN: Caddy, a cross-platform HTTP/2 web server". news.ycombinator.com. 28 April 2015.
  7. Is Caddy Free?
  8. "The Caddyfile". Retrieved 29 February 2016.
  9. "tls - Caddy Directives". Retrieved 8 March 2016.
  10. Benedetti, Benoit (November 2015). "Caddy, Le Serveur Web Facile" [Caddy, The Easy Web Server]. GNU/Linux Magazine France (in French). France.
  11. "How to Setup the Caddy Web Server with php-fpm".
  12. Beke, Mathias (21 August 2015). "Caddy Server and WordPress (PHP-FPM)".
  13. "SSL Server Test: caddyserver.com (Powered by Qualys SSL Labs)". SSLLabs.com. Retrieved 5 March 2016.
  14. "Release 0.7.1 · mholt/caddy". 2 June 2015.
  15. Nick Sullivan [grittygrease] (4 Mar 2016). "It's built in Go using custom versions @rlbarnes's Mint and @mholt6's Caddy" (Tweet) via Twitter.
  16. "syscall: Setuid/Setgid doesn't apply to all threads on Linux". 21 January 2011. Retrieved 5 March 2016.
  17. "Implement privilege de-escalation". 21 January 2016.
  18. "HTTP Strict Transport Security". CIO.gov. Retrieved 8 March 2016.
  19. "Automatic HTTPS". Retrieved 5 March 2016.
  20. Eckersley, Peter (21 February 2016). USENIX Enigma 2016 - Several Horror Stories about the Encrypted Web. USENIX. 13 minutes in.
  21. 1 2 "On-Demand TLS". Retrieved 5 March 2016.
  22. Springall, Drew; Durumeric, Zakir; Halderman, J. Alex (2016-01-01). "Measuring the Security Harm of TLS Crypto Shortcuts". Proceedings of the 2016 ACM on Internet Measurement Conference. IMC '16. New York, NY, USA: ACM: 33–47. doi:10.1145/2987443.2987480. ISBN 9781450345262.

External links

This article is issued from Wikipedia - version of the 11/25/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.