Hi just read the announcement for Commercial Caddy licensing and the requirement for the Caddy-Sponsors HTTP header being required/used. I need clarification,
Does this only apply to the official provided/downloaded binaries and is not a requirement if building via source compile ourselves ?
Or does this Caddy-Sponsors header requirement also extend to self built source compiled Caddy binaries ?
Is there a limit to size of the header as you add more sponsors ?
I am testing and evaluating Caddy for integration into my Centmin Mod LEMP stack installer which is open source and free, so distributing Caddy via custom integration into my LEMP stack installer would be considered commercial or personal use ? What if my Centmin Mod LEMP stack users usage is commercial ? How do I deal with Caddy distributed this way ? I DO NOT have any info as to what my users use my LEMP stack for whether it’s personal or commercial. The integration doesn’t modify any Caddy source code. It’s just scripted integration for automatic site vhost creation via shell based script cli command line or shell based menu so it eventually generates domain vhosts which would work with several planned web server integrations - nginx and later, openlitespeed, litespeed, apache 2.4, caddy and/or h2o. So end user can generate a site vhost once and be able to choose which web server they want to use which would share a common site account structure/web roots etc. Also Haproxy is planned too so technically can have web sites running different backend web servers eventually.
The concern I have is due to performance as there’s known performance overhead with Caddy as you start adding more HTTP headers to your site - benchmarks at Any performance overhead as you add more headers under HTTP/2?. Have you looked at the performance overhead as you continue to add new sponsors and increase the size of the Caddy-Sponsors header ?
I would rather put in the HTML footer of a Caddy powered web site, a Powered by Caddy text/logo then have additional HTTP headers reduce overall web performance over time. Just my 2 cents
Currently I see
curl -I https://caddyserver.com/blog/accouncing-caddy-commercial-licenses
HTTP/1.1 200 OK
Caddy-Sponsors: This free web server is made possible by its sponsors: Minio, Uptime Robot, and Sourcegraph
Content-Security-Policy: style-src 'self' https://fonts.googleapis.com; script-src 'self' data: https://www.google-analytics.com https://checkout.stripe.com; img-src 'self' data: https:; font-src 'self' data: https: blob:; media-src 'self' https:; connect-src 'self' https:; object-src 'none';
Content-Type: text/html; charset=utf-8
Last-Modified: Wed, 13 Sep 2017 14:43:04 GMT
X-Xss-Protection: 1; mode=block
Date: Wed, 13 Sep 2017 16:40:08 GMT
You may make any changes you like to the source code. There are some caveats under certain circumstances that may require you to announce attribution and changes in your distribution. If you intend to distribute for commercial purposes, I’d read and understand the license first.
What your users use your software for is up to them, and they’ll have to meet the same requirements for distribution (it’s their responsibility to observe the license). But usage of your free software, for commercial purposes, is fine.
@matt thanks for the clarification. Makes things clearer
Source compiles will make things interesting for performance and load/scalability tests as it also opens up a lot of options for compiler (Clang vs GCC) and compiler options though I haven’t done any Caddy source builds as yet so not sure if they’re applicable with regards to Caddy?
@eva2000 Based on the name Centmin, I’m guessing that your project is CentOS based. If that is the case you could use my copr for caddy once you update to CentOS 7.4 (due out any day). That copr is where i’m working out the kinks to submit the package to Fedora and EPEL.
Yes, along with a systemd unit file and a directory structure for system wide config files (/etc/caddy/caddy.conf and /etc/caddy/conf.d).
Since the plugins are compiled in, the plugin decisions have to be made for the whole repo. At the moment I’m enabling all the dns providers (go get in the spec file, which won’t be allowed in Fedora). When I initially submit it to Fedora I’ll probably have all plugins disabled, then re-enabled select ones once I can submit the relevant go library to use as a build dependency.
Help me understand where you’re coming from. This particular price point equates to $50/instance. NGINX is $200/instance. Is that not steep? You want us to take an NGINX approach yet NGINX is 4x the cost, and you say ours is already too high.
@matt another question with regards to HTTP Sponsor header. Some 3rd party proxy services (cloudflare, sucuri, incapsula or CDNs etc) or reverse proxies might strip out the Caddy HTTP sponsor header where the end user doesn’t have complete control over it. How would we deal with those situations ?
Hey @matt sorry for not being fully clear on the comparison. They offer a distinct, separate product. Asking $100/mo on an honors system, is both confusing and not going to achieve your desired income stream. @ITSecMedia suggested a better price point for a single-dev. Also, what about use cases? My own uses cases aren’t for web-dev; they’re for hosting other open-source apps, or connecting to existing servers. I’m not running commercial web-hosting, or paid services.
(ponders) Here are some viable points of separation…
Anyone can make a website / throw on some HTML / etc.
Certain open-source and commercial applications need things like the proxy and fastcgi modules. This is my current use case; and since you appear to control those modules, would be ideal for the lower price-point.
I think you also control the load-balancer. I think we all can agree that having a need for load-balancing indicates mission-critical & commercial viability. This is where you can soak the bigger fish.
It is somewhat disappointing that we’ve spent the last 15 years trying to eradicate tech-identifying headers from leaving our networks, and here we have a “secure by default” service doing just that, and explicitly and intentionally.
Have we already forgotten all the fuss caused because IIS was putting MS headers in the output?
Tell me how a header is a security exploit? (And don’t say "because it reveals the server that’s running – there are more serious ways to fingerprint a server, and most exploits are automated these days anyways.)