Migrating to Caddy 2

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, April 10, 2020

Follow me on Twitter as @mattiasgeniar

Last week, the first Release Candidate of Caddy 2 saw the light of day. I don’t usually like to run production environments on beta software, but for Caddy I wanted to make an exception

$ caddy version
v2.0.0-rc.2 h1:7NOaxYrsnQ5D3rcLGn2UnLZHLfBpgrfM/JNTLhjCJ1c=

If you’re reading this post, it’s now being served by Caddy 2. If you can’t read it because you’re getting TLS errors or exceptions, well … then this is Schrödingers Blogpost. 😬

Changes in syntax & config

Caddy has some of the cleanest documentation I’ve ever seen in an open source project. Their upgrade guide covered all the necessities for me.

In total, this was the diff for this particular site.

A change for the document root, explicitly enable static file serving & the gzip naming had changed:

ma.ttias.be {
-   root /var/www/html/ma.ttias.be/public
-   gzip
+   root * /var/www/html/ma.ttias.be/public
+   file_server
+   encode zstd gzip

    [...]
}

Further more, the syntax for logging is modified, since the default is now a structured, JSON, log.

ma.ttias.be {
    [...]

-   log / /var/www/html/ma.ttias.be/logs/access.log "{combined}" {
-     rotate_size 200
-     rotate_age 14
-     rotate_keep 14
-     rotate_compress
-   }
+   log {
+     output file         /var/www/html/ma.ttias.be/logs/access.log
+     format single_field common_log
+   }
}

None of these are groundbreaking changes.

HTTP/3 and TLS 1.3

I added one extra config to the new Caddyfile:

{
    experimental_http3
}

Hooray, this blog is now served via HTTP/3 (technically: h3-27). 🥳

It’s advertised in the headers that there is an alternative protocol to reach this site at:

$ curl -I https://ma.ttias.be
HTTP/2 200
accept-ranges: bytes
alt-svc: h3-27=":443"; ma=2592000
[...]

That’s what the alt-svc (alternative service) header is for.

By default, Caddy also serves via TLS 1.3, something that is very hard to achieve with “traditional” webservers. openssl, to which most webservers are linked against, needs a very recent version to support TLS 1.3.

Caddy v2 SSL Labs Score

Upgrading is a non-event

I didn’t run into anything out of the ordinary, the guides were clear and the changes are well documented.

At this point, I’m guessing most users can upgrade from Caddy v1 to v2 in under an hour.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.