Automatic HTTPS and HTTP/2 for Kubernetes with Caddy Web Server

Published 2019-2-6
by Ryan Sundberg

Caddy web server is a next generation web server with automatic HTTPS integration and HTTP/2 support. HTTP/2 is a technology which is transparent to users, but which greatly improves the efficiency of web applications and servers through better connection management and multiplexing. Caddy stands out among web servers in that it is one of, if not the most, user-friendly servers on the market when it comes to setting up security certificates and configuration.  If your site isn't running on HTTP/2, or you are spending time and money every year renewing your TLS certificates, now is the time to set it up for the benefit of your website and your users.

Automatic Transport Layer Security

The outstanding benefit of switching your web server to Caddy is it's automatic integration with Let's Encrypt for free and easy TLS (a/k/a SSL) certificate setup. It is as simple as defining your domains in your Caddyfile and making sure that your DNS is set up to point traffic to your server. Really. That's it! Never hassle with Certificate Signing Requests, Common Names, indecipherable certificates, or private key files again.

Up-to-date Maintenance

Last month a story broke from a white-hat hacker who was able to exploit the popular Let's Encrypt service to generate TLS certificates for sites he didn't actually own. This meant that hackers would have been able to impersonate your site using https://, which could have devastating effects including stolen credit card numbers, user accounts, and personal information. Luckily, the people at Let's Encrypt responded immediately to the issue, and disabled the vulnerable mechanism. However, that meant that thousands of web servers relying on new certificates only have 90 days to upgrade their infrastructure to avoid their certificates expiring!

The internet really can crash when the sysadmins stop paying attention!

We set out to upgrade our infrastructure in order to avoid any outage of service for our clients. We happy to find Caddy ahead of the curve with the switch to the newer certificate validation mechanism, "TLS-ALPN-01." 👍👍

Power Your Kubernetes Cluster With Caddy

We rely on Kubernetes, the container orchestration system, to operate our infrastructure with high reliability and rapid deployment at scale. It certainly helps keep our operational overhead down. Although it's not very well known, there is an Ingress Controller for Kubernetes powered by Caddy which we have had a hand in developing. If you're an engineer who wants to take advantage of the simplicity and ease of management of Caddy in your Kubernetes cluster(s), you can find the caddy-ingress-controller project on Github and Dockerhub.

If you would like to try Caddy in a standard deployment without Kubernetes, Caddy is available as free software on Github. However if you want a simple binary to install, without building it from source yourself, the developer asks for a small price for commercial use. We highly recommend it!

Discussion