Hacker News new | ask | show | jobs
by terminalserver 1842 days ago
The thing I love most about caddy is it automatically does all the ssl certificate garbage which is so painful in every other web server ever. Yes certbot makes it less painful but it’s still a big PITA, unlike caddy where SSL is just like magic.
2 comments
xupybd 1842 days ago
And zero dependencies!

This might solve my problem with older servers that no longer support the latest SSL.

I really need to upgrade those rickety old machines.

link
squiggleblaz 1842 days ago
I suppose you mean zero runtime dependencies? It seems to have few dozen build dependencies.

Runtime dependencies create a nuisance as you have to update several things together. On the other hand, they can allow components with separate update cycles and responsibilities to be update separately.

Build dependencies create maintainability and security problems. They can also solve maintainability and security problems. It depends on what your consideration is. But as a matter of practice, many developers seem too concerned with possible behavioral/API breakage, that they like to pin to specific versions of their dependencies, which now means that you aren't getting any security fixes.

(Technically, Althttpd doesn't achieve zero runtime dependencies in comparison to a modern http server that does HTTPS, because it requires a separate program to terminate TLS. But these connect through general mechanisms that are much easier to combine and update separately.)

Everyone has to make a judgement about how they maintain their own systems, but being excited about "zero (runtime) dependencies!" isn't the way the judgement concludes.

link
petre 1842 days ago
You mean zero runtime deps because it pulls a lot of stuff when it does get built. Still great but I'd use traefik for more than 10 sites.
link
francislavoie 1842 days ago
Caddy can serve thousands of sites without a sweat. What are your concerns exactly?
link
petre 1841 days ago
The webui based config helps for lots of sites and my clients can do it themselves without bothering me.
link
KronisLV 1842 days ago
The only thing I don't really know how to do with it is round robin DNS for many servers with LetsEncrypt HTTPS.

It feels like then I'd probably need either shared storage for the certificate files (which goes against the idea of decentralization somewhat) or to use a DNS challenge type.

Anyone have experience with something like that?

link
francislavoie 1842 days ago
Shared storage is the solution. Caddy supports multiple different storage backends (filesystem by default, and Redis, Consul, DynamoDB via plugins) and uses the storage to write locks so that one instance of Caddy can initiate the ACME order, and another can solve the challenge. See the docs: https://caddyserver.com/docs/automatic-https#storage

I'm doing this exact thing, with the Redis plugin behind DNSRR and it works seamlessly.

link