User Guide

tls

tls configures HTTPS connections. Since HTTPS is enabled automatically, this directive should only be used to deliberately override default settings. Use with care, if at all.

Caddy supports SNI (Server Name Indication), so you can serve multiple HTTPS sites from the same port on your machine. In addition, Caddy implements OCSP stapling for all qualifying certificates. Caddy also automatically rotates all TLS session ticket keys periodically.

The tls directive will ignore sites that are explicitly defined to be http:// or are on port 80. This allows you to use the tls directive in a server block that is shared with both HTTP and HTTPS sites.

If not all the hostnames are not known when starting the server, you can use the On-Demand TLS feature, which issues certificates during the TLS handshake rather than at startup.

Syntax

Disables TLS for the site. Not recommended unless you have a good reason. With TLS off, automatic HTTPS is also disabled, so the default port (2015) will not be changed.

• email is the email address to use with which to generate a certificate with a trusted CA. By providing an email here you will not be prompted when you run Caddy.

Although the above syntax is not needed to enable TLS, it allows you to specify the email address used for your CA account, instead of prompting for one or using another one from a previous run.

To use Caddy with your own certificate and key:

• cert is the certificate file. If the certificate is signed by a CA, this certificate file should be a bundle: a concatenation of the server's certificate followed by the CA's certificate (root certificate usually not necessary).
• key is the server's private key file which matches the certificate file.

You can use this directive multiple times to specify multiple certificate and key pairs.

Or to have Caddy generate and use an untrusted, self-signed certificate in memory:

The above syntaxes use Caddy's default TLS settings with your own certificate and key or a self-signed certificate, which should be sufficient in most cases.

Advanced users may open a settings block for more control, optionally specifying their own certificate and key:

• cert and key are the same as above.
• protocols specifies the minimum and maximum protocol versions to support. See below for valid values. If min and max are the same, it need only be specified once.
• ciphers is a list of space-separated ciphers that will be supported, overriding the defaults. If you list any, only the ones you specify will be allowed and preferred in the order given. See below for valid values.
• curves is a list of space-separated curves that will be supported in the given order, overriding the defaults. Valid curves are listed below.
• clients is a list of space-separated client root CAs used for verification during TLS client authentication. If used, clients will be asked to present their certificate by their browser, which will be verified against this list of client certificate authorities. A client will not be allowed to connect if their certificate was not signed by one of these root CAs. Note that this setting applies to the entire listener, not just a single site. You may modify the strictness of client authentication using one of the keywords before the list of client CAs:
  • request merely asks a client to provide a certificate, but will not fail if none is given or if an invalid one is presented.
  • require requires a client certificate, but will not verify it.
  • verify_if_given will not fail if none is presented, but reject all that do not pass verification.
  • The default, if no flag is set but a CA file found, is to do both: to require client certificates and validate them.
• load is a directory from which to load certificates and keys. The entire directory and its subfolders will be walked in search of .pem files. Each .pem file must contain the PEM-encoded certificate (chain) and key blocks, concatenated together.
• max_certs enables On-Demand TLS, which obtains certificates during the first handshake requiring it rather than at startup. This is NOT recommended if the full hostname is given in the Caddyfile and known at startup! The limit value restricts the number of certificates allowed to be issued on demand (during TLS handshake) for this site. It must be a positive integer. This value gets reset after the process exits (but is preserved through reloads).
• key_type is the type of key to use when generating keys for certificates (only applies to managed or TLS or self-signed certificates). Valid values are rsa2048, rsa4096, rsa8192, p256, and p384. Default is currently rsa2048.
• dns is the name of a DNS provider; specifying it enables the DNS challenge. Note that you need to give credentials for it to work.
• alpn is a list of space-separated protocols to use for Application-Layer Protocol Negotiation (ALPN). For HTTPS servers, HTTP versions can be enabled/disabled with this setting. Default is h2 http/1.1.
• must_staple enables Must-Staple for managed certificates. Use with care.

Protocols

The following protocols are supported, in descending order of preference:

• tls1.2 (default max)
• tls1.1 (default min)
• tls1.0

Note that setting the minimum protocol version too high will restrict the clients which are able to connect, but with the benefit of better privacy.

Supported protocols and default protocol versions may be changed at any time.

Cipher Suites

The following cipher suites are currently supported:

• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-ECDSA-WITH-CHACHA20-POLY1305
• ECDHE-RSA-WITH-CHACHA20-POLY1305
• ECDHE-RSA-AES256-CBC-SHA
• ECDHE-RSA-AES128-CBC-SHA
• ECDHE-ECDSA-AES256-CBC-SHA
• ECDHE-ECDSA-AES128-CBC-SHA
• RSA-AES256-CBC-SHA
• RSA-AES128-CBC-SHA
• ECDHE-RSA-3DES-EDE-CBC-SHA
• RSA-3DES-EDE-CBC-SHA

Note: The HTTP/2 spec blacklists over 275 cipher suites for security reasons. Unless you know what you're doing, it's best to accept the default cipher suite settings.

Cipher suites may be added to or removed from Caddy at any time. Similarly, the default cipher suites may be changed at any time.

Curves

The following curves are supported for EC cipher suites:

• X25519
• p256
• p384
• p521

Examples

Remember, TLS is enabled by default, and this directive is not usually needed! These examples are for advanced users who manage certificates manually or need custom settings.

Serve with HTTPS using a certificate and private key located one folder up:

Obtain certificates during TLS handshakes as needed, with a hard limit of 10 new certificates:

Load all certificates and keys from .pem files found in /www/certificates:

Serve a site with a self-signed certificate in memory (untrusted by browsers, but convenient for local development):