Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS https://caddyserver.com
Find a file
tomholford 43adbee168 caddyhttp, reverseproxy: gate WebTransport behind enable_webtransport server flag
steadytao raised an architectural concern in review of #7669: the PR
put experimental WebTransport handling directly into Caddy's core
HTTP/3 accept path, so every HTTP/3 deployment paid for the feature
whether or not they used it.

Collapse the enablement surface to a single server-level opt-in that
matches Caddy's existing precedent for protocol-level features
(`protocols`, `allow_0rtt`, `enable_full_duplex`), and detect the
request shape at the handler the same way `reverse_proxy` detects a
WebSocket upgrade today — no per-handler config flag.

Core HTTP/3 path changes (modules/caddyhttp/server.go):
  * New `EnableWebTransport bool` field on Server, marked EXPERIMENTAL.
  * buildHTTP3Server now only calls webtransport.ConfigureHTTP3Server
    and sets EnableStreamResetPartialDelivery when the flag is true.
    When false, the constructed http3.Server is bit-for-bit identical
    to the pre-WebTransport implementation.
  * wtServer is constructed only when the flag is true.
  * serveH3AcceptLoop falls back to http3.Server.ServeListener when
    the flag is false — no varint peek, no per-connection dispatch.

Caddyfile wiring (caddyconfig/httpcaddyfile/serveroptions.go):
  * New `enable_webtransport` global server option, modeled on
    `enable_full_duplex`.

Reverse-proxy simplifications (modules/caddyhttp/reverseproxy/):
  * Removed HTTPTransport.WebTransport field and its Provision-time
    exclusivity check (no longer needed; H3 is validated separately).
  * Removed the `webtransport` Caddyfile subdirective under
    `transport http { }` — this neutralizes the prior commit that
    introduced it.
  * Removed Handler.webtransportEnabled cache. ServeHTTP now branches
    on isWebTransportExtendedConnect(r) alone, matching how the
    WebSocket upgrade branch works.
  * serveWebTransport gains fail-fast guards with clear errors when
    the parent server has enable_webtransport=false or when the
    handler's transport does not include HTTP/3.

Tests:
  * Existing TestServer_BuildHTTP3ServerEnablesWebTransport now sets
    EnableWebTransport=true explicitly; new
    TestServer_BuildHTTP3ServerWithoutWebTransport locks in the
    regression guard that flag-off produces the pre-PR http3.Server.
  * Integration tests updated: enable_webtransport: true added to
    every H3 server block; "webtransport": true dropped from the
    reverse_proxy transport JSON (auto-detected now).
  * Caddyfile adapt test for the deleted `webtransport` subdirective
    is removed; `enable_webtransport` is added to the existing
    global_server_options_single adapt test alongside its peers.

No runtime behavior change when enable_webtransport is false. Diff
against master on the core HTTP/3 path is effectively zero in that
configuration.
2026-06-23 19:04:24 +09:00
.github Update human and agent contributing guidelines 2026-06-20 14:19:24 -06:00
caddyconfig caddyhttp, reverseproxy: gate WebTransport behind enable_webtransport server flag 2026-06-23 19:04:24 +09:00
caddytest caddyhttp, reverseproxy: gate WebTransport behind enable_webtransport server flag 2026-06-23 19:04:24 +09:00
cmd cmd: colored error message in WrapCommandFuncForCobra (#7760) (#7768) 2026-06-04 21:41:35 -04:00
internal admin: Redact sensitive request headers in API logs (#7578) 2026-04-17 14:56:42 -06:00
modules caddyhttp, reverseproxy: gate WebTransport behind enable_webtransport server flag 2026-06-23 19:04:24 +09:00
notify notify: implement windows service status and error notifications (#7389) 2025-12-12 07:56:30 -05:00
.editorconfig caddytest: Rename adapt tests to *.caddyfiletest extension (#6119) 2024-02-21 00:37:40 +00:00
.gitattributes chore: Add .gitattributes to force *.go to LF (#4919) 2022-07-29 08:46:45 -04:00
.gitignore gitignore: Add rule for caddyfile.go (#6225) 2024-04-07 02:30:00 +00:00
.golangci.yml chore: Enable modernize linter (#7519) 2026-02-26 14:01:35 -07:00
.goreleaser.yml chore: Disable windows/arm build target (Go 1.26 disabled) (#7503) 2026-02-20 22:47:21 +00:00
.pre-commit-config.yaml chore: apply security best practices for CI (#7066) 2025-06-16 20:14:09 +00:00
admin.go metrics: Add nil check for metricsHandler in AdminMetrics.serveHTTP (#7553) 2026-05-11 17:27:03 -06:00
admin_test.go metrics: Add nil check for metricsHandler in AdminMetrics.serveHTTP (#7553) 2026-05-11 17:27:03 -06:00
AGENTS.md Update human and agent contributing guidelines 2026-06-20 14:19:24 -06:00
AUTHORS Add authors file 2019-06-30 16:06:24 -06:00
caddy.go metrics: Add nil check for metricsHandler in AdminMetrics.serveHTTP (#7553) 2026-05-11 17:27:03 -06:00
caddy_test.go core: Check for nil event origin (#7047) 2025-06-05 19:10:08 +00:00
context.go chore: Fix golangci-lint 2.12.1 findings (#7690) 2026-05-07 03:40:26 -04:00
context_test.go chore: Bump up to Go 1.19, minimum 1.18 (#4925) 2022-08-02 16:39:09 -04:00
duration_fuzz.go core: Windows service integration (#4790) 2022-07-29 14:06:54 -06:00
filepath.go chore: make FastAbs comment more easy to understand (#6692) 2024-11-14 20:49:42 -07:00
filepath_windows.go chore: make FastAbs comment more easy to understand (#6692) 2024-11-14 20:49:42 -07:00
filesystem.go core: Implement FastAbs to avoid repeated os.Getwd calls (#6687) 2024-11-13 03:55:51 -05:00
go.mod caddyhttp: advertise WebTransport in HTTP/3 SETTINGS 2026-06-23 19:04:23 +09:00
go.sum caddyhttp: advertise WebTransport in HTTP/3 SETTINGS 2026-06-23 19:04:23 +09:00
LICENSE Add license 2019-06-30 16:07:58 -06:00
listen.go listeners: clean up stale Unix socket files on Windows (#7676) 2026-04-29 21:52:04 +10:00
listen_reuseUnixSocket.go listeners: clean up stale Unix socket files on Windows (#7676) 2026-04-29 21:52:04 +10:00
listen_reuseUnixSocket_windows.go listeners: clean up stale Unix socket files on Windows (#7676) 2026-04-29 21:52:04 +10:00
listen_unix.go chore: Use atomics where appropriate (#7648) 2026-04-25 03:47:54 -04:00
listen_unix_setopt.go Switch Solaris-derivatives away from listen_unix (#6021) 2024-01-06 05:09:20 -05:00
listen_unix_setopt_freebsd.go core: Use SO_REUSEPORT_LB on FreeBSD (#5554) 2023-05-23 10:56:00 -06:00
listeners.go caddyhttp: add terminating WebTransport handler 2026-06-23 19:04:23 +09:00
listeners_fuzz.go core: Windows service integration (#4790) 2022-07-29 14:06:54 -06:00
listeners_test.go core: propagate ECH keys to the QUIC listener (#7670) 2026-04-23 13:33:41 -06:00
logging.go logging: Adjustments to BufferedLog to keep logs in the correct order (#7257) 2025-09-15 09:29:50 -06:00
logging_test.go log: default logger should respect {in,ex}clude (#6995) 2025-05-06 22:06:09 +00:00
metrics.go metrics: scope metrics to active config, add optional per-host metrics (#6531) 2024-10-02 08:23:26 -06:00
modules.go core: Show JSON error offsets where possible (#7437) 2026-01-14 22:54:19 -05:00
modules_test.go Couple of minor fixes, update readme 2019-12-31 22:51:55 -07:00
README.md readme: Update logo 2026-06-16 23:39:45 -06:00
replacer.go perf(replacer): optimize memory allocation for file placeholders (#7773) 2026-05-27 14:20:33 +00:00
replacer_fuzz.go core: Windows service integration (#4790) 2022-07-29 14:06:54 -06:00
replacer_test.go use a more modern writing style to simplify code (#7182) 2025-08-20 11:41:21 -06:00
service_windows.go ci: use gci linter (#5708) 2023-08-14 09:41:15 -06:00
sigtrap.go go.mod: Upgrade CertMagic to v0.16.0 2022-03-25 11:28:54 -06:00
sigtrap_nonposix.go core: Windows service integration (#4790) 2022-07-29 14:06:54 -06:00
sigtrap_posix.go core: Reloading with SIGUSR1 if config never changed via admin (#7258) 2025-09-26 16:50:15 +00:00
storage.go pki: Add trust subcommand to install root cert (closes #3204) 2020-03-31 17:56:36 -06:00
usagepool.go chore: Use atomics where appropriate (#7648) 2026-04-25 03:47:54 -04:00

Caddy

a project


Every site on HTTPS

Caddy is an extensible server platform that uses TLS by default.

Releases · Documentation · Get Help

      @caddyserver on Twitter   Caddy Forum
Caddy on Sourcegraph   Cloudsmith

Powered by
CertMagic


Menu

Features

  • Easy configuration with the Caddyfile
  • Powerful configuration with its native JSON config
  • Dynamic configuration with the JSON API
  • Config adapters if you don't like JSON
  • Automatic HTTPS by default
    • ZeroSSL and Let's Encrypt for public names
    • Fully-managed local CA for internal names & IPs
    • Can coordinate with other Caddy instances in a cluster
    • Multi-issuer fallback
    • Encrypted ClientHello (ECH) support
  • Stays up when other servers go down due to TLS/OCSP/certificate-related issues
  • Production-ready after serving trillions of requests and managing millions of TLS certificates
  • Scales to hundreds of thousands of sites as proven in production
  • HTTP/1.1, HTTP/2, and HTTP/3 all supported by default
  • Highly extensible modular architecture lets Caddy do anything without bloat
  • Runs anywhere with no external dependencies (not even libc)
  • Written in Go, a language with higher memory safety guarantees than other servers
  • Actually fun to use
  • So much more to discover

Install

The simplest, cross-platform way to get started is to download Caddy from GitHub Releases and place the executable file in your PATH.

See our online documentation for other install instructions.

Build from source

Requirements:

For development

Note: These steps will not embed proper version information. For that, please follow the instructions in the next section.

$ git clone "https://github.com/caddyserver/caddy.git"
$ cd caddy/cmd/caddy/
$ go build

When you run Caddy, it may try to bind to low ports unless otherwise specified in your config. If your OS requires elevated privileges for this, you will need to give your new binary permission to do so. On Linux, this can be done easily with: sudo setcap cap_net_bind_service=+ep ./caddy

If you prefer to use go run which only creates temporary binaries, you can still do this with the included setcap.sh like so:

$ go run -exec ./setcap.sh main.go

If you don't want to type your password for setcap, use sudo visudo to edit your sudoers file and allow your user account to run that command without a password, for example:

username ALL=(ALL:ALL) NOPASSWD: /usr/sbin/setcap

replacing username with your actual username. Please be careful and only do this if you know what you are doing! We are only qualified to document how to use Caddy, not Go tooling or your computer, and we are providing these instructions for convenience only; please learn how to use your own computer at your own risk and make any needful adjustments.

Then you can run the tests in all modules or a specific one:

$ go test ./...
$ go test ./modules/caddyhttp/tracing/

With version information and/or plugins

Using our builder tool, xcaddy...

$ xcaddy build

...the following steps are automated:

  1. Create a new folder: mkdir caddy
  2. Change into it: cd caddy
  3. Copy Caddy's main.go into the empty folder. Add imports for any custom plugins you want to add.
  4. Initialize a Go module: go mod init caddy
  5. (Optional) Pin Caddy version: go get github.com/caddyserver/caddy/v2@version replacing version with a git tag, commit, or branch name.
  6. (Optional) Add plugins by adding their import: _ "import/path/here"
  7. Compile: go build -tags=nobadger,nomysql,nopgx

Quick start

The Caddy website has documentation that includes tutorials, quick-start guides, reference, and more.

We recommend that all users -- regardless of experience level -- do our Getting Started guide to become familiar with using Caddy.

If you've only got a minute, the website has several quick-start tutorials to choose from! However, after finishing a quick-start tutorial, please read more documentation to understand how the software works. 🙂

Overview

Caddy is most often used as an HTTPS server, but it is suitable for any long-running Go program. First and foremost, it is a platform to run Go applications. Caddy "apps" are just Go programs that are implemented as Caddy modules. Two apps -- tls and http -- ship standard with Caddy.

Caddy apps instantly benefit from automated documentation, graceful on-line config changes via API, and unification with other Caddy apps.

Although JSON is Caddy's native config language, Caddy can accept input from config adapters which can essentially convert any config format of your choice into JSON: Caddyfile, JSON 5, YAML, TOML, NGINX config, and more.

The primary way to configure Caddy is through its API, but if you prefer config files, the command-line interface supports those too.

Caddy exposes an unprecedented level of control compared to any web server in existence. In Caddy, you are usually setting the actual values of the initialized types in memory that power everything from your HTTP handlers and TLS handshakes to your storage medium. Caddy is also ridiculously extensible, with a powerful plugin system that makes vast improvements over other web servers.

To wield the power of this design, you need to know how the config document is structured. Please see our documentation site for details about Caddy's config structure.

Nearly all of Caddy's configuration is contained in a single config document, rather than being scattered across CLI flags and env variables and a configuration file as with other web servers. This makes managing your server config more straightforward and reduces hidden variables/factors.

Full documentation

Our website has complete documentation:

https://caddyserver.com/docs/

The docs are also open source. You can contribute to them here: https://github.com/caddyserver/website

Getting help

  • We advise companies using Caddy to secure a support contract through Ardan Labs before help is needed.

  • A sponsorship goes a long way! We can offer private help to sponsors. If Caddy is benefitting your company, please consider a sponsorship. This not only helps fund full-time work to ensure the longevity of the project, it provides your company the resources, support, and discounts you need; along with being a great look for your company to your customers and potential customers!

  • Individuals can exchange help for free on our community forum at https://caddy.community. Remember that people give help out of their spare time and good will. The best way to get help is to give it first!

Please use our issue tracker only for bug reports and feature requests, i.e. actionable development items (support questions will usually be referred to the forums).

About

Matthew Holt began developing Caddy in 2014 while studying computer science at Brigham Young University. (The name "Caddy" was chosen because this software helps with the tedious, mundane tasks of serving the Web, and is also a single place for multiple things to be organized together.) It soon became the first web server to use HTTPS automatically and by default, and now has hundreds of contributors and has served trillions of HTTPS requests.

The name "Caddy" is trademarked. The name of the software is "Caddy", not "Caddy Server" or "CaddyServer". Please call it "Caddy" or, if you wish to clarify, "the Caddy web server". Caddy is a registered trademark of Stack Holdings GmbH.

Caddy is a project of ZeroSSL, an HID Global company.

Debian package repository hosting is graciously provided by Cloudsmith. Cloudsmith is the only fully hosted, cloud-native, universal package management solution, that enables your organization to create, store and share packages in any format, to any place, with total confidence.