A custom Caddy web server build with enhanced security, cloud integration, and enterprise features. This build includes carefully selected plugins for production deployments with advanced security, dynamic DNS, cloud storage, and monitoring capabilities.

• Layer 4 Load Balancing - TCP/UDP proxy capabilities via caddy-l4
• Advanced Security - Authentication, authorization, and security policies via caddy-security
• JSON Schema Validation - Configuration validation with caddy-json-schema

• CrowdSec Integration - Real-time threat protection with bouncer support for HTTP, Layer 4, and AppSec
• Cloudflare IP Restoration - Proper client IP handling behind Cloudflare

• Dynamic DNS - Automatic DNS record updates
• Cloudflare DNS - ACME DNS challenge support for Cloudflare
• Multi-Storage Backends - Flexible certificate storage options

• Vault Storage - HashiCorp Vault integration for secure certificate storage
• Cloudflare KV Storage - Cloudflare Workers KV for distributed storage
• S3 Storage - Amazon S3 compatible storage via CertMagic
• Storage Loader - Dynamic storage backend loading

Download the latest release for your platform:

# Linux AMD64
wget https://github.com/braccae/caddy/releases/latest/download/caddy-linux-amd64v1

# Linux ARM64
wget https://github.com/braccae/caddy/releases/latest/download/caddy-linux-arm64v8

# Linux ARM32v7
wget https://github.com/braccae/caddy/releases/latest/download/caddy-linux-arm32v7

Make it executable:

chmod +x caddy-linux-*
sudo mv caddy-linux-* /usr/local/bin/caddy

1. Copy the caddy.container file to your systemd user directory:

mkdir -p ~/.config/containers/systemd/
cp caddy.container ~/.config/containers/systemd/

2. Create your Caddyfile configuration directory:

mkdir -p ~/caddyfile.d/

3. Configure secrets and environment variables in the container file

4. Reload systemd and start the service:

systemctl --user daemon-reload
systemctl --user enable --now caddy.service

docker run -d \
  --name caddy \
  -p 80:80 \
  -p 443:443 \
  -v caddy-data:/data \
  -v caddy-logs:/logs \
  -v ./caddyfile.d:/caddyfile.d:ro \
  -e EMAIL=your-email@example.com \
  -e CF_API_TOKEN=your-cloudflare-token \
  -e MODE=dev \
  ghcr.io/braccae/caddy:latest

The container supports three configuration modes:

• dev - Development mode with file storage and verbose logging
• staging - Staging mode with S3 storage backend
• prod - Production mode with Vault storage backend

• EMAIL - Email address for ACME certificate registration
• MODE - Configuration mode (dev, staging, prod)

• CF_API_TOKEN - Cloudflare API token for DNS challenges

• CROWDSEC_API_URL - CrowdSec API endpoint
• CROWDSEC_API_KEY - CrowdSec API key
• CROWDSEC_TICKER_INTERVAL - Update interval for CrowdSec rules
• CROWDSEC_APPSEC_URL - CrowdSec AppSec endpoint
• CROWDSEC_ENABLE_HARD_FAILS - Enable hard failures on CrowdSec errors

• VAULT_ADDR - HashiCorp Vault server address
• vault_token - Vault authentication token (as secret)

• S3_HOST - S3 endpoint hostname
• S3_BUCKET - S3 bucket name
• S3_PREFIX - S3 key prefix
• S3_ACCESS_KEY - S3 access key (as secret)
• S3_SECRET_KEY - S3 secret key (as secret)
• S3_ENCRYPTION_KEY - S3 encryption key (optional, as secret)

Place your site configurations in the ~/caddyfile.d/ directory with .caddyfile extension:

# ~/caddyfile.d/example.caddyfile
example.com {
    reverse_proxy localhost:8080

    # Enable security features
    security {
        authentication portal myportal {
            crypto default token lifetime 3600
            backends {
                local_backend {
                    method local
                    path /etc/caddy/auth/local/users.json
                }
            }
        }
    }

    # CrowdSec protection
    crowdsec {
        api_url {$CROWDSEC_API_URL}
        api_key {$CROWDSEC_API_KEY}
    }
}

• Go 1.24.2 or later
• Git

1. Clone the repository:

git clone https://github.com/braccae/caddy.git
cd caddy

2. Build the binary:

cd src
go build -o ../caddy .

3. Run the custom Caddy:

./caddy run --config Caddyfile

Build for different platforms:

# Linux ARM64
GOOS=linux GOARCH=arm64 go build -o caddy-linux-arm64 .

# Windows AMD64
GOOS=windows GOARCH=amd64 go build -o caddy-windows-amd64.exe .

# macOS ARM64
GOOS=darwin GOARCH=arm64 go build -o caddy-darwin-arm64 .

├── src/                    # Go source code
│   ├── main.go            # Main entry point with plugin imports
│   ├── go.mod             # Go module dependencies
│   └── go.sum             # Dependency checksums
├── container/             # Container configurations
│   ├── Dockerfile         # Multi-arch container build
│   ├── rootless.Dockerfile # Rootless container variant
│   ├── dev.Caddyfile      # Development configuration
│   ├── staging.Caddyfile  # Staging configuration
│   └── prod.Caddyfile     # Production configuration
├── .github/workflows/     # CI/CD pipelines
└── caddy.container        # Podman Quadlet configuration

1. Add the plugin import to src/main.go:

import (
    // ... existing imports
    _ "github.com/example/caddy-plugin"
)

2. Update dependencies:

cd src
go mod tidy

3. Test the build:

go build .

The project includes automated GitHub Actions workflows:

• Build and Release - Multi-architecture binary builds on push to main
• Container Publishing - Automated container builds and publishing to GHCR
• Rootless Container - Separate rootless container builds

• Caddy L4 - Layer 4 load balancing
• Caddy Security - Authentication and authorization
• Caddy JSON Schema - Configuration validation

• Caddy Dynamic DNS - Dynamic DNS updates
• Caddy DNS Cloudflare - Cloudflare DNS provider

• CrowdSec Bouncer - CrowdSec integration
• Cloudflare IP - Real IP restoration

• Vault Storage - HashiCorp Vault backend
• Cloudflare KV Storage - Cloudflare Workers KV
• CertMagic S3 - S3 storage backend
• Storage Loader - Dynamic storage loading

• Runs as non-root user (proxy)
• Uses minimal Alpine Linux base image
• Implements health checks
• Supports rootless container deployment

• Proxy Protocol support for real client IPs
• TLS termination with automatic HTTPS
• CrowdSec integration for threat protection
• Cloudflare IP restoration

• Multiple secure storage backends
• Vault integration for production secrets
• S3 encryption support
• Secure secret management via container secrets

The container includes a built-in health check endpoint:

GET http://localhost/healthz

Returns 200 OK when the service is healthy.

• Structured JSON logging in production
• Configurable log levels
• Integration with systemd journal
• Container log aggregation support

1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Add tests if applicable
5. Submit a pull request

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.

• Caddy Community Forum
• GitHub Issues
• Caddy Documentation

• Caddy Server - The amazing web server this build is based on
• All plugin authors for their excellent contributions to the Caddy ecosystem
• The open-source community for continuous improvements and feedback