[throwaway0071]

This is why I think projects like caddy/traefik shouldn't get too comfortable thinking Let's Encrypt / HTTPS support by default alone is going to differentiate them too much. They're one PR away from having their major selling point becoming irrelevant in the face of the competition.

https://news.ycombinator.com/item?id=15433463

[hannob]

Caddy is written in a memsafe language.

(I don't use caddy, but I always saw the "HTTPS by default" thing more as a nice thing to have, but not hugely important given that you can have the same with external scripts in apache or nginx. But being memsafe is the real distinguisher and one that certainly isn't reachable with a pull req in apache or nginx.)

[kuschku]

Caddy doesn’t even adhere to the URL RFCs.

The URL RFCs specifically say that a DNS name in a URL can be written relatively, or absolutely with the root zone.

These are valid URLs: https://google.com/ and https://google.com./ As you notice, both work fine. Same with every major site, and every major webserver.

Now, you’ll notice that https://caddyserver.com/ works, but https://caddyserver.com./ doesn’t. Caddy, the server, doesn’t support it, but you have to enter every domain twice manually. And caddy, the website, doesn’t support it either.

This was closed as a WONTFIX, despite every implementation of a webserver except for traefik and caddy doing it the same way.

[chrismorgan]

> Same with every major site, and every major webserver.

I last tried this a few years back (probably around 2011). I found that a substantial fraction of major sites did not support it, and a substantial fraction of those that seemed to support it produced web pages that were at least partially broken.

[kuschku]

I tried it in 2016 again, and under the alexa top million sites, I found basically all supported it, even if just with a redirect.

Mostly because nowadays every CDN, nginx, Apache2, IIS and HAProxy all support it by default.

[icebraining]

IIS might support it, but Microsoft doesn't (universally): social.technet.microsoft.com, live.com, bing.com, office.com, skype.com all fail to properly load or redirect. As does instagram.com and linkedin.com.

[chrismorgan]

It sounds like the situation has improved (if you consider it an improvement!) since then.

But did all of them function correctly? Assertions about the host are very common. Many things operate by domain whitelists, and so things like font loaders and analytics will commonly not work. Cross-origin resource loading will often break, if `*` is not used.

(Most of the things that I expect to break are unimportant, but there will still be a non-trivial number of important breakages.)

[icebraining]

Is there any actual benefit or purpose in supporting both formats?

[JdeBP]

See http://jdebp.eu./FGA/web-fully-qualified-domain-name.html .

[icebraining]

So, it's to be able to indicate that we wrote a FQDN, otherwise the DNS client, if it has a local search path, will check if it's a relative domain first.

I have to admit it's technically a benefit, but if you have a search path that resolves FQDNs as relative domains, isn't half of your software broken anyway? I can't say I've ever seen a FQDN with a dot at the end on any hardcoded or default value.

[kuschku]

> but if you have a search path that resolves FQDNs as relative domains, isn't half of your software broken anyway

That’s correct, but it shouldn’t be that way.

I should be able to have google.com resolve to google.com.local.kuschku.de in my resolver, without issue, and the actual website should use google.com.

The fact that we don’t do that today breaks many parts of the original DNS and URL RFCs.

[fulafel]

DNS software has absolute domain names in config files. In BIND zone files you have entries like "IN NS ns1.example.com." specifying the nameserver for the domain.

I bet some software implicitly uses absolute domains. URLs are just specified not to work like that.

[mholt]

What? They're not even comparable. Here are distinct advantages of all three as I see them:

- Traefik has cross-platform, highly dynamic proxying

- Apache has such widespread use and market saturation

- Caddy is the only server, even in the face of mod_md, to have fully automatic HTTPS by default

The thread you linked to has nothing to do with any of this, except that it links to this comment by myself, which preempts your claim: https://news.ycombinator.com/item?id=15433788

[throwaway0071]

They are absolutely comparable and the advantages each one have don't exclude the others from attaining the same features.

Traefik cross-platform? All others are. Highly dynamic. What does that even mean? All are "dynamic".

Apache has widespread use and market saturation... how's that the single advantage it has? It's been evolving a lot.

Caddy is the only server to have fully automatic HTTPS? How much longer mod_md get that?

I think you've missed all of my single point and kind of confirm my fears.

The link which I posted has everything to do with this discussion. It's about Caddy thinking a bad business plan will work because "caddy is the only server to have fully automatic HTTPS by default".

Last question, is Caddy thinking of hiring a CEO or sales person? I think it should.

[mholt]

> Traefik cross-platform? All others are.

Not true - (stable) mod_md builds are not yet available for all platforms.

> how's that the single advantage it has?

Where did I say it was the "single advantage"?

> Caddy is the only server to have fully automatic HTTPS? How much longer mod_md get that?

You forgot "by default" -- and probably never, not on Apache's main release tree. Or at least not for a long time.

> I think you've missed all of my single point and kind of confirm my fears.

Why are you afraid? What are you afraid of? This is literally the epitome of spreading FUD.

[throwaway0071]

> mod_md builds are not yet available for all platforms.

Do you have reason to believe they won't be? Are you betting your business on the failure of Apache to do basic release engineering?

> Where did I say it was the "single advantage"?

That's fair. Because you listed it then I think that's the "major" advantage. Is that right?

> ou forgot "by default" -- and probably never, not on Apache's main release tree. Or at least not for a long time.

Why? Let's Encrypt and HTTPS by default being something that a lot of people want, why do you think Apache will ignore that and not include mod_md in Apache "for a long time"?

Competition is good. I don't have major reasons to be afraid but I would like Caddy/Traefik and others to succeed. From the very basic mistakes they're making in coming up with a business plan, I don't think they will. And no, being open source alone is not reason enough to ensure project survival.

If you re-read your own comment, I think you're the one spreading FUD about those other projects (and their implied inability to outpace Caddy).

[Touche]

Because those projects are very conservative about making things default. Apache famously has (had now?) bad defaults that no one should use, just for compatibility reasons.

Keep in mind that caddy is not only https by default, it's HTTP/2 by default as well. How long until that is by default in Apache?

And I don't think those are even the killer features of Caddy. They are the things that drive people in, but the real killer feature is how easy it is to configure.

[rhencke]

Where do you see evidence of projects like Caddy getting too comfortable thinking Let's Encrypt/HTTPS support by default alone is going to differentiate them?

[stephenr]

The author (mholt) replied above and the 'district advantage' he identified for caddy, his own product was:

> Caddy is the only server, even in the face of mod_md, to have fully automatic HTTPS by default

In every discussion about Caddy I've seen, the same argument is made. Even when caddy would refuse to start (with valid certificates cached!) during the LE outage, the response was "but we do LE + TLS automatically".

I still don't understand the concept of Caddy. The project seems inherently aimed at hobbyist's at best based on the idea that "its too hard to enable TLS in $Competition", but similarly they provide literally zero support for actually running Caddy - no sysvinit script, no systemd unit file, NOTHING.

So tell me again who their target market is? People who can't enable TLS in <Apache/HAProxy/Hitch/Nginx> but can write a fucking unit file for systemd?

[JdeBP]

They've been publishing a systemd unit file, a van Smoorenburg rc script, a Mewburn rc script, a MacOS plist, and an upstart job file since 2016.

* https://github.com/mholt/caddy/tree/master/dist/init

[stephenr]

Ok, thats news to me.

However, I stand by the basic point I was making: the process to get caddy running is not just "apt install caddy-server", and it works.

It's quite possible you could spend more time getting caddy working from a download than you would enabling Certbot + TLS in a competing web server.

[tannhaeuser]

Don't know where you get that idea from. The reference implementation for letsencrypt has always been (a Python-based collection of scripts with auto-config, auto-update etc) for Apache httpd. A native Apache module for ACME has been proposed for some time now, and is great because the reference implementation is quite a bit too rich to run as root (and is Python 2 only I believe).

[LukeShu]

certbot, the reference ACME implementation, should work with Python 2 and 3 (it definitely works with 3; I haven't verified 2 with recent versions), and it does not require root (though the default configuration will want it).

[djsumdog]

IIRC, the last time I set it up, I stuck HAProxy in front so I could still send ACME requests to certbot, but didn't have to have it running as root. If you put its user in the HAProxy group, it can write the certs as 640. If you want to be really secure, you create SELinux or Apparmor policies as well.

[stephenr]

I use a HAProxy + Certbot too (with a certbot "hook" script that builds the .pem for HAproxy AND downloads the OCSP staples from LE).

As a bonus, you can have zero downtime renewals and use the TLS-SNI challenge, rather than relying on the "it's probably safe but it still feels wrong" http challenge.