Impression of a newcomer to Caddy

I am 3 days young newcomer to Caddy. So pardon me if I get things wrong. Over the last three days I have set up an experimental website at https://caddy.beatquantum.com - guess what, my website already scores equal or better on every publicly available score against guess who - caddyserver.com. Go and check on https://internet.nl for your own websites.
(I am not bragging, but just demonstrating that we as a community can help Caddy reach its full potential.)
In the attached picture is my first comparison of Caddy 2.3 with the latest versions of Nginx and Apache. I am happy for you to agree or disagree; but in the latter case show me efficient solutions. I will not be writing modules and plugins; but happy to test everything you suggest.
I hope to have a constructive exchange here.

I find that table confusing. The rows aren’t aligned and are lacking dividers, so it’s very hard to follow.

What do you mean by “Caddy is inflexible on TLS1.3”?

1 Like

Thanks for the feedback on table formatting. I replaced the table in the topic.

Caddy does not allow you to choose which of the TLS1.3 ciphers are allowed or not. Apache does. Nginx does not - but there is a workaround involving the editing of the openssl.cnf file in /etc/ssl

Allowing cipher customization for TLS1.3 is actually a huge downside of nginx and apache. Security comes from have strong, known-good defaults. If users can customize it, then it open room for shooting themselves in the foot. So I strongly disagree with that criticism.

Some of us would prefer to use a sub-set of the list of ciphers allowed under TLS1.3 specifications (RFC8446 para 9.1 RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3) and by making that choice it is unlikely that they will compromise security. (But I respect that we have a difference in opinions. Thanks for sharing yours.)

FYI, even if the Caddy project would want to allow cipher customization, it wouldn’t be possible because the underlying Go implementation prevents it:

https://golang.org/pkg/crypto/tls/#Config.CipherSuites

More context (see comments from Filippo Valsorda):

Thanks for sharing, Francis. That is an interesting discussion thread. I will need to learn how to fork Go and drop the algorithm (0x1301). That would be a project for this summer. :smiley:

This topic was automatically closed after 14 days. New replies are no longer allowed.