« Blog Index
December 4, 2015

Caddy 0.8 Released with Let's Encrypt Integration

By Matt Holt

Today, I'm very excited to announce Caddy 0.8! It features automatic HTTPS, zero-downtime restarts, and the ability to embed Caddy in your own Go programs. (Download)

Today, Internet users are threatened with mass surveillance and invasive packet tampering which undermines our privacy and destroys the integrity of what we read. Encryption can keep the Web safe and reliable if it's used everywhere, but this will never happen while site owners need extra financial and technical means to employ encryption if they can run their site more easily without it.

That is why, effective this release, Caddy will automatically serve all live sites over HTTPS without user intervention. Caddy is the first general-purpose web server to default to HTTPS, fully manage all relevant cryptographic assets for you, and configure itself to redirect HTTP to HTTPS. Check it out, with real footage of a real site in real time:

It is important for all sites, in their entirety, to use HTTPS. A site does not need to collect sensitive information to merit encryption. If only sensitive transmissions are encrypted, it instantly flags those transmissions as sensitive. And without HTTPS, it is effectively impossible to tell if content was modified on its way to your computer. Tracking code can be injected. Your network activities can be collected and mined by government and corporate agencies. Both users and site owners are subject to attack.

Any site owner using Caddy 0.8 can encrypt without extra effort, money, or technical knowledge. It works on every platform and has no dependencies. I and all the contributors who made this possible hope you enjoy this new, effortless way to use HTTPS.

To be clear about how easy and automatic we're talking about, run Caddy with a simple Caddyfile:

yoursite.com

Or just run Caddy like this:

$ caddy -host yoursite.com

And you will see, after a few seconds, that your site is served with HTTPS. (Of course, Caddy must be able to bind to ports 80 and 443.)

Let's Encrypt

Caddy's certificate authority of choice is Let's Encrypt. Using the ACME protocol, Caddy is able to generate keys, issue certificates, and renew them for you automatically for free.

To make this possible, Caddy may ask for an email address if one is not already available. This is not required, but is strongly recommended to recover your account in the event you lose your key. Also, you may be asked to agree to the Let's Encrypt Subscriber Agreement. You can bypass both prompts by using the -email and -agree command line flags.

If you already have your own certificates and keys, you can continue to use them by specifying them in the Caddyfile as you have always done before (with the tls directive). For more information, read the page about automatic HTTPS.

Graceful Restarts

In order to support automated certificate renewals, we needed a way to restart the server. Caddy restarts on its own, for example, when a certificate is renewed.

Restarts on POSIX-compliant systems are graceful and incur zero downtime. Caddy will spawn a new process and get a new PID. Restarts on Windows are forceful but very quick and in-process.

Using signals, you can trigger Caddy to reload its configuration or shut down. In a near-future version, Caddy will have an API that allows you to do this on any platform locally or remotely.

If you use the startup or shutdown directives, keep in mind that those commands are only executed when you initially start the server and when the server is shut down. They are not executed during restarts.

The caddy Package

The features continue to cascade. In order to support graceful restarts, we had to completely refactor the Caddy core. This means you can now use Caddy in your own Go programs.

It's easy to use:

import "github.com/mholt/caddy/caddy"

// You can start...
err := caddy.Start(caddyfile)
if err != nil {
    log.Fatal(err)
}

// restart...
err = caddy.Restart(newCaddyfile)
if err != nil {
    log.Fatal(err)
}

// and stop Caddy services.
err = caddy.Stop()
if err != nil {
    log.Fatal(err)
}

Other Changes

We've made a lot of other improvements and added other features, such as a process log, mime directive, and support for environment variables in the Caddyfile. See the full change list on GitHub.

Feedback So Far

"magic... worked."

Jiahua Chen, author of Gogs

"I think this is revolutionary, putting a website automatically on https. This is sooooo easy \o/"

—Maxime Lasserre, stargraph.co

"we have a winner! You guys friggin RULE. this is huge."

Brian Ketelsen, Gopher Academy

Luit van Drongelen also wrote a great blog post about setting up his site on HTTPS with Caddy.

If you find Caddy useful or if your company is using it, please consider donating. Contributors, some of whom are students or are unemployed, volunteer their time and talents to improve Caddy. We do this out of love for helping people make great stuff for the Web.

Credits

As usual, this release was a team effort. We've had contributors from all over the world, and I'm really happy with the way our community works together. (Feel free to join the fun!)

Major props to Sebastian Erhart, author of lego which powers Caddy's magic TLS features. We spent a lot of time trying to make this the best experience possible for you. And if you're interested in using Let's Encrypt on its own, lego is also a pure Go command line ACME client that doesn't have any external dependencies; pretty cool stuff.

In no particular order, other contributions came from Abdulelah Alfuntukh, Luit van Drongelen, Carlisia Campos, tw4452852, Abiola Ibrahim, Michael Banzon, Tatsuhiko Kubo, AJ ONeal, Patel N Dipen, Benny Ng, Dave Goodchild, Austin Cherry, Guilherme Rezende, Bisser Nedkov, Marcelo Magallon, Paulo L F Casaretto, Zac Bergquist, and Karthic Rao. (Phew!) Also props to Erik Howard, jungle-boogie, and others who helped test and debug this version of Caddy. Thanks everyone!

So, we hope you enjoy this new release that makes the Web more private and easier to use.


« Blog Index