Caddy and CertMagic have new ownership; no changes to licensing or development

I have some great news that I’ve been meaning to share for a while: the Caddy project is now owned by apilayer. This allows me to continue working on Caddy full-time, without any changes to the current open source licensing.

This was a very personal decision for me, which came only after lots of careful consideration and discussion with both apilayer and Ardan Labs. We’re excited for this, and I hope you will be too.

In this post I’ll elaborate on my perspective and explain some of the details best I can, but I don’t speak for apilayer or Ardan Labs. You can read Ardan Labs’ press release here.

Main points

(I’ll try to keep this post updated as I see comments or questions.)

  • Caddy is now an apilayer open source product. They also have rights to the trademark.

  • This does not change Caddy licensing or distribution in any way. Caddy has always been and still is Apache 2.0 open source licensed, just like thousands of other FOSS projects.

  • This actually happened about six months ago. We’ve just been too busy to announce it! :sweat_smile: Between the pandemic, more client work from project growth, and other unexpected life things, it’s been a whirlwind year! But in these six months, we’ve released Caddy 2.0, 2.1, and are soon releasing 2.2, along with updated website features and docs. We’ve already been operating with the new ownership for over half a year now.

  • The ownership change includes CertMagic, which was moved into the caddyserver organization on GitHub when the change occurred six months ago.

  • Everything else about the project continues as normal. There are no user- or community-facing changes.

  • I continue to work on Caddy full-time. This would not be possible without apilayer, Ardan Labs, and all other sponsors (thank you)!

  • Ardan Labs is still the exclusive support contractor for the Caddy project. Businesses are encouraged to get a support plan or contract Caddy-related development through Ardan Labs, with whom I consult.

  • Several members of our community continue to act as maintainers and packagers, just as before. Thank you to them for their dedicated involvement!


After the Caddy project grew more than I could handle in ~2016, I applied for an award from Mozilla for developing software that helps advance privacy and security on the Internet, which amazingly was granted and allowed me to work on Caddy full-time for about 6 months.

For longer-term sustainability, I later moved to monetize its commercial user base with both professional services and a unique licensing plan for custom-made binaries distributed through the Caddy website. Mistakes were made (both by myself and a vocal minority of the user base – or at least some armchair observers) and that model didn’t achieve the sustainability I had hoped for. Not many people know this, but the project actually came close to shutting down after that because I was starting grad school and couldn’t handle its growth together with my research and studies without some sustainability to front it.

After consulting with some trusted friends, mentors/colleagues, and professors, I decided not to pull the plug and instead applied Caddy to academic research through some projects in grad school, such as embedding CT monitors into web servers. Another one of these was telemetry, which allowed us to observe the conditions of clients on the Internet – including the first wide-spread production server-side measurements of MITM attacks – without being confined to proprietary networks. Contrary to popular belief (sigh), it didn’t collect any personal information or IP addresses; just benign technical data that was in plaintext on the wire or basic counts of things like which features of the server were used most often. Unfortunately this was also not well-received (and was expensive), despite other software such as Windows, Firefox, Chrome, VS Code, and many other programs that continue to implement much more aggressive and detailed telemetry, and I was more or less forced to shut it down a year or two later after counting trillions of connections.

From its various research applications, we learned that automatic CT monitoring can be a valuable asset (one even worth paying for) and that MITM is more widespread on the Internet than you’d think. (Cloudflare later deployed a similar MITM measurement at a larger scale of course, but it is limited to their proprietary network. And nobody complained about this like they did with Caddy, but the MALCOM dashboard doesn’t load for me anymore for some reason. Is Cloudflare starting to develop Google-like habits?)

After completing my graduate degree last year, I approached several companies to see if they’d be interested in hiring me to work on Caddy full-time, to the mutual benefit of them and many of their customers who use and rely on it. If I couldn’t find one, I’d have to take a likely-unrelated position and Caddy would have to take the back-seat. Fortunately, more than one company was interested! I accepted an offer with Ardan Labs and under their auspices built Caddy 2.

I’m pleased to say that Caddy 2.0 was designed and developed right on schedule: in just about 12 months we went from design drafts to prototypes to betas to final release. It’s amazing what providing for one full-time developer can accomplish! I am thankful to Ardan Labs for that opportunity.

Near the end of the Caddy 2 development cycle, we received an offer from apilayer that worked to our mutual advantage. All three parties came to agreeable terms and the Caddy project is well on our way to continued development and growth. I have at least a two year contract with apilayer to work on Caddy full-time!

During the negotiations I made it very clear that open source is crucial to Caddy’s success, and I was relieved that Julian (apilayer) balked at the possibility of making it anything but open source. :slight_smile: It was very clear that keeping Caddy open source is a core value for all of us.


Ardan Labs continues to be the trusted partner to support businesses using Caddy. We recommend that all businesses using Caddy get a support plan so that they can become familiar with your deployments and offer assistance if needed. There are also options for custom development contracts.


It’s clear to me that sponsorships are probably the best way to ensure the sustainability of the project in the long run, rather than fiddling with licensing or taking on enterprise support by myself (Ardan Labs is our partner for enterprise clients).

I continue to rely on sponsorships for ongoing full-time development of Caddy, with apilayer being the premier corporate sponsor. I am able to prioritize features and bug fixes for sponsors, as well as extending a special invite to our Slack community for Caddy developers/maintainers. Right now, sponsors also get exclusive early access to Project Conncept, a layer 4 (TCP/UDP) app for Caddy! When we reach 50 sponsors, I’ll be able to make it public!

I’ll be enhancing sponorship perks later this year as well, so stay tuned for more on that.

You can sponsor me through GitHub: Sponsor @mholt on GitHub Sponsors · GitHub

If you aren’t able to sponsor right now, that’s okay: the next best thing you can do to help the project is to use Caddy and help others to use it, too. Join our community and help answer people’s questions! You can also share the project so more people know about it. If you’re experienced with Go, we’re always looking for committed maintainers to the code base; or if you’re good at websites, we could use help to improve ours! Similarly, we need help with packaging, distribution, and several other side projects. There’s a lot to be done! The project wouldn’t be where it is without the assistance of the community.

Thank you for your support, and for using Caddy! As we continue to work on it together, I hope it serves you well for many years to come.




Congrats matt! This feels like a great move, Caddy has a bright future ahead :rocket:


Congratulation! :clap:

1 Like

This topic was automatically closed after 120 days. New replies are no longer allowed.