Caddy recommends “using our official package for your distro” and for debian flavors they include the basic instructions you’d expect.


The easiest way to configure Caddy is by editing the Caddyfile

sudo vi /etc/caddy/Caddyfile
sudo systemctl reload caddy.service


You define websites with a block that includes a root and the file_server directive. Once you reload, and assuming you already have the DNS in place, Caddy will reach out to Let’s Encrypt, acquire a certificate, and automatically forward from port 80 to 443 {        
    root * /var/www/


You can add basicauth to a site by creating a hash and adding a directive to the site.

caddy hash-password {        
    root * /var/www/
    basicauth { 
        allen SomeBigLongStringFromTheCaddyHashPasswordCommand

Reverse Proxy

Caddy also makes a decent reverse proxy. {        
    reverse_proxy * http://some.server.lan:8080

You can also take advantage of path-based reverse proxy. Note the rewrite to accommodate the trailing-slash potentially missing. {
    rewrite /audiobooks /audiobooks/
    handle_path /audiobooks/* {
        uri strip_prefix /audiobooks/
        reverse_proxy * http://some.server.lan:8080

Include Blocks

You can define common elements at the top and include them on multiple sites. This helps when you have many sites.

(logging) {
    log {
        output file /var/log/caddy/access.log
} {
    import logging     
    reverse_proxy * http://some.server.lan:8080


Caddy is a single binary so when adding a new module (aka feature) you are essentially downloading a new version that has them compiled in. You can find the list of packages at their download page.

Do this at the command line with caddy itself.

sudo caddy add-package
systemctl restart caddy


Drop Unknown Domains

Caddy will accept connections to port 80, announce that it’s a Caddy web server and redirect you to https before realizing it doesn’t have a site or cert for you. Configure this directive at the bottom so it drops immediately.

http:// {


Caddy runs as it’s own user and is fairly memory-safe. But installing Crowdsec helps identify some types of intrusion attempts.



You can test your config file and look at the logs like so

caddy validate --config /etc/caddy/Caddyfile
journalctl --no-pager -u caddy

Last modified April 9, 2024: restructure (100ef14)