https://github.com/lucaslorentz/caddy-docker-proxy

I actually do this, because I kinda like having the proxy config right next to the app config in my Compose file, but I also dislike how much manual configuration Traefik needs. Downside is you need to know how to write Caddyfile (easy enough) and then also know how to write labels so CDP translates them into the correct Caddyfile (also easy enough, but could be annoying if you're learning both at the same time). Upshot is that once you know how it translates and you know what you need to write, it works just like Traefik but with just two labels, and I think that's pretty neat.

Caddy can support a surprising amount of weird and wonderful configurations, too.

The configuration is simply:

Header X-Clacks-Overhead "GNU Terry Pratchett"

It is not _configured_ by default. There is an important distinction.

It's not mentioned in documentation because the documentation [1] does not provide an _exhaustive_ list of the kinds of addresses that Caddy can be configured to serve.

1. https://caddyserver.com/docs/caddyfile/concepts#addresses

For example: ycombinator.com@example.com.

Nobody blocks dots in email addresses, although I have had some sites in the past email me using the first part of my email address as my name; it's amusing to open an email from example.com saying "Hi, example.com!"

https://caddyserver.com/v1/docs/http.prometheus

The logical extreme of this statement is that @mholt shouldn't post a link to any website unless that link is specifically tailored to the average reader of the site he's posting to. That, or Hacker News is special among all websites @mholt could post to.

I don't think that's fair. I also don't see the defensiveness you see - instead, I see @mholt explaining his website's strategy for the benefit of your understanding (as well as that of any future readers). The alternative to which would be not responding to your feedback at all, as he already has sound reasoning not to incorporate your specific suggestion (which we know because he explained it).

It's important to read into the best possible interpretation of a comment and respond to that, assuming good faith, especially on communities like this one. Otherwise we begin to assume everyone is attacking or defending.

It's a function of priority: make money > minimize legal liability > satisfy customers.

acme-go/lego doesn't use HTTP validation unless you disable just about every other form of validation first. TLS-ALPN validation is much more likely, so port 443.

That said, it is very easy to allow software to bind to privileged ports without providing it root access; this has been solved for a very, very long time.

I run Caddy (which uses acme-go/lego as its ACME provider) as a non-root user with no access to /etc at all. It seems to be running fine.

I believe AWS can do this because they have proof that you own the domain (effectively DNS validation) before handing out certs. Caddy can do similar with DNS validation - fetching your cert without needing to be publicly accessible. It needs you to hook into the API of one of the supported DNS providers though, because validation is still done on a per-request basis (but it has been able to do wildcards for a while). I understand that AWS is more validate once, sign certificates many times, which is quite convenient - and it all hooks into their systems fairly automatically.

That header thing was indeed a bit of a fiasco; a misguided attempt to honour the few that stepped up to support Caddy monetarily. Once the depth of the issue was made clear to the developers, it was indeed walked back.

Regarding OS packaging teams - it's not the dev's responsibility to become approved package maintainers for individual distros; it's generally not done, either. The distro maintainers themselves decide which packages to make available, and how to package them. Caddy doesn't offer repos for the individual popular package managers because of the nature of Caddy's third party plugin architecture - none of the package managers allow arbitrary downloads from a build server (rightly so - the package maintaining process is intended to provide much higher assurance of security), and they don't allow for the package to be built to request either. Not only that, but those plugins may or may not be trusted by the user themselves; the usefulness of anyone being able to extend Caddy and publish their own plugin at any time comes with that downside.

The licensing arrangement was born out of a simple need - Caddy devs gotta eat. The code itself is Apache 2.0 - the Caddy project is as FOSS as it gets. The commercial part is the build server, which isn't open source - if you use it to build your binaries, those binaries are considered either commercial or personal in nature. I can tell you that the devs would like nothing more than to have a different method that would satisfy their monetary requirements so they could make the build server binaries free, too.

The idea behind exiting on start with an error is to ensure that when the user starts the server, they know straight away that there's a problem and Caddy can't do what you're asking it to (which is manage your HTTPS certificates). There are ways to get Caddy up, even with out a valid HTTPS certificate, and get your site online regardless - they're just not _automatic_.

The fragile state concept is one we come across frequently. The truth is that when people say they're restarting the server, the meaning of restart is "shut down, then start", instead of "reload". Caddy has graceful reload capabilities; you can swap the Caddyfile and even the binary itself out without interrupting the server (this isn't true on Windows, though, where varied signaling of the Caddy process is not possible in the same way as it is on *nix based systems).

I myself have posted working solutions to full live server migrations (for the entire set of websites), between two fully working and secured (HTTPS) Caddy instances, accounting for DNS propagation. It's not unsupported or difficult, just not _automatic_; it requires some specific configuration and a careful hand (like most live site migrations). The somewhat-recent filesystem clustering Caddy does isn't even related to migration - it's actually supportive of distributed fleets solving challenges for other instances. You've always been able to share the TLS assets between Caddy instances and have them be used.

I wish I (or the developers) had been given a chance to offer some guidance - I believe we would have been able to help avoid some of the downtime and losses suffered by your business.

> user-hostile behavior

Which behaviour is user-hostile? Perhaps we could address it?

> outright dangerous behavior in the way it fetches SSL certificates

For reference, Caddy uses https://github.com/xenolf/lego/ for its ACME interactions with LetsEncrypt. Could you elaborate on what part of Caddy's behaviour is _dangerous_?

> very bad choice for critical sites

What makes it a bad choice, exactly?

Depends on how you define "better".

I would argue that a rewritten title you can read is "better" than an un-rewritten title you can't read because the site couldn't "link" it without risking a lawsuit or signing an agreement.

Decentralization will give people the opportunity to spread their hatred among themselves, without involving me, which is... exactly how things operate today.

So... Bring on infotech decentralization, I guess. It's got its merits, and for me, nothing about all this hate speech will change.

Like the Dunning-Kruger Effect?

https://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect

https://www.youtube.com/watch?v=rE3j_RHkqJc