sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

dnf install 'dnf-command(copr)'
dnf copr enable @caddy/caddy
dnf install caddy

pacman -Syu caddy

brew install caddy

Chocolatey:

choco install caddy

Scoop:

scoop install caddy

Package name: caddy
NixOS module: services.caddy

In Termux:

pkg install caddy

Webi

Linux and macOS:

curl -sS https://webi.sh/caddy | sh

Windows:

curl.exe https://webi.ms/caddy | powershell

Ansible

ansible-galaxy install nvjacobo.caddy

docker pull caddy

Make sure to have git and the latest version of Go installed.

git clone "https://github.com/caddyserver/caddy.git"
cd caddy/cmd/caddy/
go build

xcaddy is a command line tool that helps you build Caddy with plugins. A basic build looks like:

xcaddy build

To build with plugins, use --with:

xcaddy build \
	--with github.com/caddyserver/nginx-adapter
	--with github.com/caddyserver/ntlm-transport@v0.1.1

Obtain a Caddy binary:
- from releases on GitHub (expand "Assets")
  - Refer to Verifying Asset Signatures for how to verify the asset signature
- from our download page
- by building from source (either with go or xcaddy)
Install Caddy as a system service. This is strongly recommended, especially for production servers.

Place the binary in one of your $PATH (or %PATH% on Windows) directories so you can run caddy without typing the full path of the executable file. (Run echo $PATH to see the list of directories that qualify.)

You can upgrade static binaries by replacing them with newer versions and restarting Caddy. The caddy upgrade command can make this easy.

On-demand TLS is designed for situations when you either don't control the domain names, or you have too many certificates to load all at once when the server starts. For every other use case, standard TLS automation is likely better suited.

In order to prevent abuse, you must first configure an ask endpoint so Caddy can check whether it should get a certificate. Add this to your global options at the top:

{
	on_demand_tls {
		ask http://localhost:5555/check
	}
}

Change that endpoint to be something you've set up that will respond with HTTP 200 if the domain given in the domain= query parameter is allowed to have a certificate.

Then create a site block that serves all sites/hosts on the TLS port:

https:// {
	tls {
		on_demand
	}
}

This is the minimum config to enable Caddy to accept and service TLS connections for arbitrary hosts. This config doesn't invoke any handlers. Usually you'll also reverse_proxy to your backend application.

Examples

This page may soon be developed into a community-maintained set of exmaples. For now, please refer to the examples posted in the wiki on our community forum. Feel free to search the wiki category for something specific.