Https backend suddenly not reachable, getting 502 although site is up

I think it’s reasonable to have that expectation for paid or proprietary software. But you are using Caddy for free. Unless you sign on as a sponsor, we don’t know what your individual requirements are. We do our best, but it takes a lot of time and effort, especially to be watching all the dependencies and monitoring them for relevant changes. This is something we can do if we have an enterprise sponsor that requires it, but we don’t currently have that situation. You’re welcome to sign up! We could use more sponsors.

In the meantime, since this is open source, you can examine the code and changes as much as you like for any changes in dependencies, etc. There’s no reason to have to complain about it, because you can do the work yourself, or pay to have someone else do it for you. We’re happy to sign you on as a sponsor if you’d like. One of the enterprise tiers can cover dependency graph monitoring.

2 Likes

The arguments sounded until now to me more like “its should not be relevant if we remove old TLS versions, so we don’t document it”.

I totally understand when the resources are limited and its workwise not possible, absolute no complaints about it.

Will try to do my best to convince the management to sign up as sponsor.

Keep up the good work and thanks for your time discussing the topic, really appreciated.

1 Like

Sorry if I came off as a bit gruff. It’s easy to get vibes of entitlement when we clearly have good options for businesses that have advanced requirements to pay for things that require a lot of care and effort, take a lot of time, slow down releases, etc. We can do those things – but we’d like companies to pay for services like that. And we just get a lot of requests from companies using Caddy for free that aren’t reasonable to do for free.

To clarify, we don’t know it’s relevant unless someone tells us. And then, for us to even care about supporting going against best practices, we need compelling arguments.

I prefer to work with sponsors to find middle grounds. For example, I think documenting TLS support in dependencies is a reasonable balance between going against best practices (enabling old TLS versions for everyone) and surprises (not documenting it in our release notes, even though the change was in a dependency not related to our code). Of course, recursively monitoring dependency trees takes a lot of time and is a premium service companies can pay for. But that’s definitely doable! Much more agreeable than enabling broken security protocols.

Would absolutely love that – it is great for your company in a lot of ways, and ensures the project carries on strong too.

Thank you!

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.