Next Steps for the Caddy Project Maintainership

135 pointsposted 7 hours ago
by francislavoie
(caddy.community)

64 Comments

McRaeAlex

5 hours ago

It’s nice to see the responsibility spread across more people, open source projects live and die by their maintainers.

As a note, Caddy is one of those tools which hits the 80-90% of functionality with 50% of the complexity.

For both my homelab and hobby projects it just works. Its configuration is sane and well documented.

I highly recommend giving it a try.

kstrauser

35 minutes ago

For those on the fence, imagine Nginx, but with all the defaults set to what you’d have them on in the first place.

Here’s a complete configuration file for a Wordpress site with a LetsEncrypt TLS cert, static files, and PHP executed via FastCGI:

  example.com {
    root * /var/www/wordpress
    php_fastcgi unix//run/php/php-version-fpm.sock
    file_server
  }
That’s it. That’s the whole thing. All the other settings are adjustable, but have the default values you’d configure yourself if you wanted to dig in and tweak it.

I appreciate Caddy immensely. It doesn’t do anything Nginx can’t do, as far as I know, but it’s a whole lot more ergonomic while doing it.

tln

2 hours ago

For me it's been 95% and 5%. Caddy is great!

queenkjuul

an hour ago

Caddy rules, i can't imagine using anything else for the kind of projects I'm usually involved with.

NiloCK

3 hours ago

I've had a really good time with Caddy on a hobby project over the past 7 years on a digital ocean droplet.

Automatic HTTPS, multiple domains, proxying specific routes to local services, etc etc, managed by one extremely legible config file.

I've had literally one service failure over that period, and it was my own error after running upgrades of the droplet's operating system.

Highly recommended.

Congrats to Mike on growing the project to the point where he can responsibly take a hand off the wheel now and then. And thank you!

mdwhatcott

2 hours ago

> Congrats to Mike...

It's actually Matt :)

mholt

2 hours ago

Haha, hi Mike!

(He and I were coworkers for a time.)

skoskie

an hour ago

This is too cute.

bobberkarl

10 minutes ago

I want to use Caddy as an ingress or gateway in Kubernetes.

I have not configured lone servers in a long long time

cr125rider

6 hours ago

Caddy is excellent. Great on you, Matt for giving up some control.

aborsy

3 hours ago

Free software needs to find a way to encourage people to contribute so that maintainers get paid.

Caddy has been great!

tyre

3 hours ago

You can sponsor Mike right on GH!

https://github.com/sponsors/mholt

aborsy

2 hours ago

Yeah, I donate from time to time to various projects. But voluntary contributions will never solve this issue.

I had in mind somehow requiring or rewarding everyone to pay a small amount. Like, anyone who uses software from a platform such as GitHub should pay a subscription fee for maintenance depending on usage. It could be small so that it doesn’t interfere with usage. Considering huge number of users, that could pay for maintainers.

Ferret7446

2 hours ago

We already have that, it's called paid/proprietary software

aborsy

2 hours ago

That’s mostly different.

The point is, there are large number of users, if each user pays a small amount to the platform, they won’t notice it, yet it accumulates to a maintenance fee.

Paying a maintenance fee makes sense, regardless of how you label it. The entirely free software has problems and may not be sustainable.

skoskie

an hour ago

That is not at all what they said. Your interpretation seems disingenuous.

overfeed

2 hours ago

Will contributors get paid too?

abiosoft

25 minutes ago

Matt has been generous and rewarded me twice for my efforts on the project. But just as Francis said, we are willing volunteers.

francislavoie

2 hours ago

As a core contributor, Matt has expressed on many occasions he would like to be able to pay us for all the time we've spent on the project, but I've always told him we're doing it as volunteers and not for money (my day job pays me sufficiently) and I think he needs it more since he doesn't have other sources of income. And if he did get enough from sponsorships to pay a second salary, I think he should hire someone not already a volunteer to broaden the skillset of the team. One of our biggest problems at this stage is that the members of the core team don't have expertise in a few specific areas that Caddy is lacking in (e.g. metrics/prometheus stuff)

rvitorper

6 hours ago

I like Caddy. Good to see it evolve. Hope it works well

TranquilMarmot

6 hours ago

https://caddyserver.com/

> The Ultimate Server

> makes your sites more secure, more reliable, and more scalable than any other solution.

Is this an alternative to nginx or something?

loloquwowndueo

6 hours ago

It’s an http server like Apache or nginx.

A stand-out feature has been ACME support built-in, and it’s a fairly capable reverse proxy. I’ve seen organizations use Caddy to provision certificates for customer domains at scale with very good results.

danielheath

6 hours ago

Yes.

Personally, I much prefer the way caddy does configuration / plugins (as someone reasonably conversant in how nginx does those things) - comparable to "sysv init scripts vs systemd unit files".

o11c

an hour ago

I've never used caddy but "better config than nginx" is a pretty low bar.

tom1337

6 hours ago

It is, but I've mostly came across Caddy as a traefik alternative.

nodesocket

4 hours ago

I still think for Kubernetes ingress controller, traefik is more optimized for this use-case than Caddy. However, sitting in front of containers or a standalone reverse proxy I exclusively use Caddy.

charcircuit

4 hours ago

>Now, the project is so stable and mature that most bugs require extensive explaining and troubleshooting, and very specific configurations, to reproduce.

There still remains this simple to reproduce bug where the page doesn't load of you use the full domain name of a site.

https://caddyserver.com./

apsurd

3 hours ago

Never in my life have I seen a domain with a dot at the end OR a dot at the end with a slash.

bananas

why is this your hill to die on?

codebje

2 hours ago

That form of domain name is very common in DNS configuration. All it means is the name is complete already and should not have any local search domains appended. It's unusual to see it in URLs, but its presence should be harmless; that it's not harmless in Caddy is definitely an error - but I can't begin to understand why it would be seen as a particularly significant one.

MrDarcy

2 hours ago

The correct way to write a fully qualified domain name is with a period at the end otherwise it’s subject to the resolver search path.

francislavoie

4 hours ago

We get it, you have a grudge. No need to post this comment every single time anything related to Caddy is posted on HN. PRs welcome if you want to propose a change.

VenturingVole

3 hours ago

My 1st thought: The comment to which you are replying is why I'm not sure I'd have the patience to maintain an OS project. Though the older I get, the better I get at ignoring certain things.

My 2nd thought: Actually, this is very likely a culture/communication difference whereby both people care (I'm a big fan of Erin Meyer's work here)

My 3rd thought: I wonder what happens if I provide this repo and the chat comments to codex. Outcome: https://github.com/wsimmonds/caddy/pull/1

My 4th though: Perhaps I can make 'enemies' become friends if they both have disdain for AI ;)

Note: I would absolutely not submit this as-is. Caddy's an amazing project though I am not very familiar with its implementation and I'd seek to understand it, conventions etc. and make some obvious improvements to the code which has been generated - but this was a minor bit of fun. I created 4 separate versions and only in one of them did anything with TLS related get amended.

charcircuit

3 hours ago

I think it's unfair to say that I post this every time when I've only mentioned it twice before, with the previous time being 2 years ago. I don't have a grudge, I just recognize it as an easy to reproduce bug that disqualifies me from using the software. I'm not itching to get off of nginx as I already have a site that works, so I have no motivation to do extra work to fix bugs in other projects.

francislavoie

3 hours ago

Last year: https://news.ycombinator.com/item?id=39474419 and you also said "I have only brought this up once before on HN and it was over 2 years ago." in that same thread.

Still, only you and one other person with a similar grudge have ever complained about it (we've never had any github issues opened about it in years, neither on our forums) and nobody who cares has attempted to solve it with code changes.

charcircuit

3 hours ago

I'll admit I don't have perfect memory of my comments. I'll also admit this is a niche feature.

eduction

3 hours ago

Instead of poring over this person’s history maybe fix the bug?

francislavoie

3 hours ago

Why would we work on something we don't care about, for free? If they paid a sponsorship, that would allow us (moreso Matt) to spend the time looking into it. Or, people complaining about it can spend their own time finding a solution rather than making noise like this. (Also - I didn't "pore over", I simply searched for "caddyserver.com." in HN's search and it turned up every time two specific individuals brought this up)

throwaway-0001

2 hours ago

So maybe other people complaining are not using caddyserver.com domain?

I’ve seen people mentioning about dot at the end of the domain a few times this year. Also never knew is a valid domain and should be able to resolve. Some people mentioned before YouTube.com. Won’t load ads. But I think they fixed.

francislavoie

2 hours ago

I've read every single Caddy forum post (up until some months ago where I decided I had to slow down for my mental health), every single Caddy issue in the past 7 years, and nearly every thread mentioning Caddy on HN in the a similar time span, and it's only ever been brought up on HN by exactly two people. I know the patterns and I know how to find those comments. You may be talking about threads not relating to Caddy, in which case I don't find that relevant.

throwaway-0001

2 hours ago

Yes, I didn’t mean related to caddy. Just that dot at the end might not be so unusual like you said. TBH I don’t need this feature. I think it’s hard to be so sure only 2 people on hn mentioned this about caddy, unless you used a lot of resources to dig into it. To clarify I’m not against you, caddy is really amazing, just trying to be objective about it.

Caddy always worked well and recommended to other people. So I’m a pro caddy user, don’t get me wrong.

francislavoie

an hour ago

I am sure, because of how front of mind it has been every time it's been brought up (not just to me, but everyone on the Caddy core team).

We appreciate the recommendations! :)

eduction

2 hours ago

Ok fine, instead of poring over someone’s comment history why not enjoy some free time?

francislavoie

2 hours ago

Because leaving comments like that unaddressed/unclarified does not serve the public reading this thread.

bombcar

2 hours ago

It's served this public to realize that there's obviously some serious flaw somewhere in the software that means fixing this isn't easy, or it would have been done.

Which is sad, as now I have to reconsider.

francislavoie

2 hours ago

We've not seen a good enough argument that it's worth our time investigating. This seems like something that only affects something like 0.00001% of users. It may be simple, but it also means extensive testing to make sure any kind of fix doesn't also break other things. With how extensive Caddy's usecases are, we have to be careful with any change, especially low-level ones involving TLS and host matching. We could accidentally introduce somekind of request smuggling security bug for example if proper care isn't taken.

eduction

3 hours ago

You responded to a specific technical observation stated briefly and without emotion with a nasty personal attack.

Oh and now I see you work on the project. Hard pass on Caddy if this is how you respond to mild criticism.

francislavoie

3 hours ago

We've felt attacked by people trying to slander the project due to this specific technical issue. It's exhausting. Either way, like I said, we'd be glad to accept contributions to solve this.

VenturingVole

2 hours ago

It's an awesome project and I imagine it has saved countless production incidents. The amount of times I've said "it was probably certificate expiry" and been correct is reasonably high.

In my own cases of responsibility, Caddy would have eliminated them had it been around. Instead I've learned to be paranoid, though having things like this are far better in terms of easing cognitive burden.

Cheers for all of the hard work by you and other maintainers.

Silhouette

2 hours ago

I too have used Caddy on multiple production systems. It's a great bit of software.

I try to avoid engaging in online flame wars but I will say that the developers - including Francis - have been nothing but helpful and courteous to me personally and I've also learned a lot from their numerous positive contributions to Caddy-related forums.

JimDabell

2 hours ago

What slander? What grudge? What attack? Until now I’ve been a happy user of Caddy but seeing you overreact like this to a mild mention of a bug is making me strongly reconsider.

francislavoie

an hour ago

If you haven't seen the history of this topic outside of this thread then you wouldn't understand how frustrating it's been to handle. I'd just like it to stop being brought up (without also offering help or a solution). Seriously, every time we either post something on HN ourselves regarding Caddy or find a thread posted from someone else, one of the first thoughts is "oh boy, are we gonna have to find issue brought up again?" Lo and behold, it was brought up again today.

If you want another vote for how annoying the trailing dot issue is in general, hear it from no other than the author of Curl, Daniel Stenberg himself https://daniel.haxx.se/blog/2022/05/12/a-tale-of-a-trailing-...

JimDabell

an hour ago

Elsewhere in this thread you point out that he mentioned it in February last year. That was 18 months ago! They weren’t rude or abusive.

That is not a grudge. That is not slander. That is not a hill to die on. That is not an attack.

This makes me wonder how many other minor bugs are dismissed by you as a grudge due to you overreacting like this. It makes me a lot less confident in your project.

It’s perfectly fine for you to say ”this is low priority and we have no plans to fix it in the immediate future”. What’s not fine is treating it like a personal attack because they dared mention it twice in 18 months.

francislavoie

an hour ago

Caddy doesn't hit the front page of HN all too often. But when it does, this issue gets brought up by one of two people. That's why it's annoying. It's so predictable and so annoying. We've already said our piece on the topic repeatedly, being asked to repeat ourselves again is insulting to us. Because "this is low priority and we have no plans to fix it in the immediate future" is clearly not an answer for someone who cares about this issue and mentions it again.

JimDabell

an hour ago

You are not the sole audience for this discussion. Just because they mention something you have heard before, it doesn’t mean they are deliberately taunting or provoking you. I’m glad they mentioned it. This thread gave me important new information about the project.

francislavoie

an hour ago

We're perfectly within our rights to express how it makes us feel for it to be brought up, especially with the history we've had around it. It's caused us a lot of grief and we'd just like for it to stop being shoved in our face. That's all. If it was brought up by someone totally unique (not repeated by the same person as before, who we've already answered) then I would have had a different, more tactful response.

I really don't think it's fair for you to make a judgement on me or the project from an interaction like this. At least judge the project on its technical merits. I've been very transparent here. But I can't stop you from having your thoughts. It is what it is.

JimDabell

38 minutes ago

> being asked to repeat ourselves again is insulting to us.

> we'd just like for it to stop being shoved in our face.

This is the comment you are referring to:

> There still remains this simple to reproduce bug where the page doesn't load of you use the full domain name of a site.

They aren’t asking you to repeat yourself. They aren’t shoving it in your face. This is an open discussion thread with many participants. They weren’t talking to you directly. This is information anybody here can find interesting and relevant. I did.

> I really don't think it's fair for you to make a judgement on me or the project from an interaction like this. At least judge the project on its technical merits.

How you are reacting to this is far more important to me than the original bug.

Remember when 37signals suffered data loss because they were using GET requests to delete things? When people pointed out they had a bug, they were offended and blamed GWA. What happened next? The same thing happened all over again, users suffered more data loss.

Or how about when Naomi Wu reported a problem with Signal, where the common use case of third-party keyboards for Chinese people was rendering all of their security worthless? They dismissed that as somebody with a grudge and ignored her for a year. What happened next? People found out that Chinese keyboards were compromised; she was 100% right, and Signal users were in danger.

I’ve seen what happens when people have this attitude towards inconvenient people reporting inconvenient bugs. It’s a danger to users, and you are making Caddy seem dangerous with this attitude. I was a happy user of Caddy right up until this thread, and even halfway down this thread – even after reading the mention of the bug – but your reaction has flipped that to the opposite because I can’t trust that there aren’t more bugs you are handling this way.

m_sahaf

9 minutes ago

This is being blown out of proportion. You're discounting an entire project and your experience of the software over a person expressing exasperation over an inconsequential feature (not a bug) that even the author of curl had his run through and frustration. The request was not dismissed, rather it was discussed at length on our issue tracker. The OP knows it was discussed at length because they linked to the discussion thread in the earlier times they brought this up. Moreover, the way they presented it this time is snide, agree or not. To quote Matt's statement of the project being "stable and mature" just to say "except you didn't implement my niche feature" (yes, editorialized) is not criticism nor a feature request. It's veiled instigation hiding behind plausible deniability.

Anyways, on the feature request, Caddy is not the only software who disagrees with it being valid, and curl had their back-and-forth on it. There's no legitimate bug being dismissed, and you can go through the issue tracker to audit it. Equating this discussion with 37signals or Signal is false equivalence.

Disclaimer: Caddy maintainer

francislavoie

23 minutes ago

It's the fact they bring it up again when we've made it clear our stance is the problem, not so much the actual words in today's post. It's also off-topic (not relating to project maintainership) and it's on a post I submitted myself to HN.

I know you've already made up your mind, but look at our track record of answering support questions on the forums and tickets on GitHub, and you'll see that the picture you've formed in your mind from this thread is not accurate.

Those comparisons are very straw-man and I won't entertain them. As I've already said, IMO there's more risk in introducing a new security bug in trying to fix this issue than there is leaving it as-is (failing fast and hard).

JimDabell

11 minutes ago

> It's the fact they bring it up again when we've made it clear our stance is the problem

You are still locked into this idea that the sole purpose of bringing it up is for your response. This is an open conversation, not a dialogue between only you and them. It doesn’t matter if you have made your stance clear, them bringing it up gives other people a chance to hear about it and discuss it.

> I know you've already made up your mind, but look at our track record of answering support questions on the forums and tickets on GitHub, and you'll see that the picture you've formed in your mind from this thread is not accurate.

To be clear: my mind was made up that Caddy was a good, reliable choice, and it was your behaviour in this thread that changed my mind, it wasn’t my imagination.

> IMO there's more risk in introducing a new security bug in trying to fix this issue than there is leaving it as-is (failing fast and hard).

I believe that, but I also believe your attitude is a bigger threat to security than either.

francislavoie

6 minutes ago

And you're still locked into this idea that you'll convince me that I shouldn't care, when I've expressed how it makes me feel due to the history. Can you respect that there are topics I'd just like not to be reminded of in a certain way? If it was brought up in a _constructive_ way, I would accept it (i.e. offering help or a solution via a PR with tests). If it was brought up by someone who I didn't specifically interact with negatively on this topic before, I would accept it.

> I believe that, but I also believe your attitude is a bigger threat to security than either.

I can't change your belief, nor do I care to, but I think that's absurd. Show me an actual security threat relating to this and I will address it. But this problem as stated is not one.

eduction

2 hours ago

People are allowed to crticize a project whether or not they want to fix it. It was a mild, brief mention of one issue. Accurate, too, so not slander.

You seem to think there is a conspiracy against Caddy. That seems doubtful. But I could see disproportionate defensiveness like what is on display here causing some people to not be fans.

francislavoie

2 hours ago

Two people don’t make a conspiracy. And honestly, the tone came off as pretty snide. Quoting part of the post just to twist it into their own point was clearly deliberate.

queenkjuul

an hour ago

Your loss, caddy is fantastic