Published on August 30, 2025

If You're Reading This

By Christopher Burg

If you you're reading this, I've configured my new reverse proxy correctly. I've spent the last couple of days performing a major overhaul of my network infrastructure. This overhaul gave me the opportunity to rethink a few of my servers. The biggest rework was with my reverse proxy. For years I've been using Nginx to provide TLS connections for my various self-hosted services. Many of my Nginx configuration files were nightmares to read and edit because of the complexity of some of the services I self-host. It was finally bad enough that I started searching for alternatives. I eventually came across Caddy

Caddy fucks. Consider the Nginx reverse proxy configuration for this blog, which is one of the simplest configurations on my reverse proxy server:

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
    listen *:80;
    server_name www.christopherburg.com;

    include conf.d/certbot.conf;

    location / {
        return 301 https://www.christopherburg.com$request_uri;
    }
}

server {
    listen *:443 ssl http2;
    server_name www.christopherburg.com;

    autoindex off;
    access_log <path to the access logs>;

    ssl_certificate <path to the certificate>;
    ssl_certificate_key <path to the certificate key>;

    ssl_trusted_certificate <path to the trust chain>;

    # A bunch of TLS configurations to ensure old, weak ciphers aren't used.
    include conf.d/ssl.conf;

    location / {
        proxy_pass http://<actual server hosting site>;

        include conf.d/headers.conf;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;

        proxy_request_buffering off;
        proxy_read_timeout 86400s;
        client_max_body_size 0;

        # Websocket
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

Now look at the Caddy equivalent:

www.christopherburg.com {
    reverse_proxy <actual server hosting site>
}

Caddy handles most of the heavy lifting. It ensures TLS is enabled, automatically pulls certificates for your sites via Let's Encrypt, automatically redirects HTTP to HTTPS, and has sane defaults for all the reverse proxy configurations. Writing the Ansible playbook to build my reverse proxy took me about an hour and that's with zero Caddy experience beforehand.

With this change comes another. I finally shutdown the old Wordpress blog. It's URL, blog.christopherburg.com, now redirects to here. Setting up this redirect in Caddy was as simple as:

blog.christopherburg.com {
    redir https://www.christopherburg.com/blog/
}

Caddy is working so well that I'm wondering when the other shoe will drop. When will a weird edge case rear its ugly head and bring me hours of frustration as I try desperately to fix it? I don't know the answer to that. Until it does appear though, I'm very impressed with Caddy. If you're self-hosting websites, I strongly encourage you to check it out.