None of my stakeholders care how serious the exploit is. When the pen-test has even a low-severity warning about “possible leaking of server fingerprint” or whatever, and it is trivially preventable, they want it removed.
The customer isn’t always right, but if there’s an easy way to remove friction with their compliance process, then that’s what we do, as long as they aren’t actually wrong.
cheers @carlwgeorge, thanks to @matt for fixing the source builds https://github.com/mholt/caddy/issues/1843 tried my hand at first time Caddy source building and working so far with some plugins added . So HTTP Sponsor header clarification (and revert/removal) in this thread satisfies my concerns if source builds are excluded from the EULA requirements.
I started this thread just for HTTP Sponsor headers discussion not commercial pricing, but since pricing is being discussed I will add my 2 cents.
Costs need to relatively compared. From my load testing benchmarks using nghttp2’s h2load HTTP/2 tester, for HTTP/2 HTTPS loads, Caddy is ~1/3rd the scaling/performance of Nginx. So you’d need 3-4x Caddy servers to match the performance of 1x Nginx server for HTTP/2 based HTTPS. So for Commercial licensing you’d need 5/server license at discounted US$250/month which reverts to 4x250 = US$1,000 month once introductory licensing ends. That equates to $3,000/yr discounted or $12,000/yr for 5 commercial licenses if you only need 4 instances ?
If I need 3x to 4x Caddy servers to match 1x Nginx servers performance the comparative cost is:
Caddy 5 instance license = $3,000/yr discounted or $12,000/yr normal price
Nginx 1 server Basic license = $2,500/yr, $3,500/yr Pro or $5,000/yr Enterprise.
If I need 6x to 8x Caddy servers to match 2x Nginx servers performance the comparative cost is:
Caddy 10 instance license = $6,000/yr discounted or $24,000/yr normal price
Nginx 2 server Basic license = $5,000/yr, $7,000/yr Pro or $10,000/yr Enterprise.
From financial and performance perspective, doesn’t make sense unfortunately.
I truly understand Caddy needs $$$$ to continue development and thrive, but the above points and calculations could be derived by any commercial company doing their own cost benefit analysis. Commercial pricing probably does need some revision.
edit: oh mis-read that as intro price was 1/4 of the full price in above numbers. The non-intro price isn’t actually mentioned yet
Yes, using the discounted pricing for justification is a bit disingenuous. To get approval for it, I’ll have to declare that this price will definitely increase dramatically at some as-yet-undetermined time in the future. Basically will have to spec for the full cost now. Do we actually know what the non-introductory price will be? The “sticker” doesn’t say.