Caddy: Difference between revisions

From NixOS Wiki
Add debugging section
m Add debug subsections
Line 96: Line 96:
== Debugging ==
== Debugging ==

=== Check used ports ===

To check if Caddy is running and listening as configured you can run netstat:
To check if Caddy is running and listening as configured you can run netstat:
Line 109: Line 110:
The tcp (ipv4) socket port 2019 is Caddy's management endpoint, for when you want manage its config via web REST calls instead of Nix (ignore).
The tcp (ipv4) socket port 2019 is Caddy's management endpoint, for when you want manage its config via web REST calls instead of Nix (ignore).
The tcp6 (an ipv6 socket that also listens on ipv4) socket on port 80 (HTTP) and 443 (HTTPS) indicate that a virtualhost config was used.
The tcp6 (an ipv6 socket that also listens on ipv4) socket on port 80 (HTTP) and 443 (HTTPS) indicate that a virtualhost config was used.
=== Check connections ===

You can also use curl to test http(s) calls. However, you must set the "Host" header correctly when testing locally:
You can also use curl to test http(s) calls. However, you must set the "Host" header correctly when testing locally:

Revision as of 09:03, 8 July 2023

Caddy is a HTTP/2 capable web server with automatic HTTPS.


The example snippet below will run Caddy on http://localhost and serving an example.html page.

services.caddy = {
  enable = true;
  extraConfig = ''
    http://localhost {
      encode gzip
      root * ${
        pkgs.runCommand "testdir" {} ''
          mkdir "$out"
          echo hello world > "$out/example.html"

Configuration examples


Caddy will automatically try to acquire SSL certificates for the specified domain, in this example This requires you to configure the DNS records of your domain correctly, which should point to the address of your Caddy server. The firewall ports 80 and 443 needs to be opened.

services.caddy = {
  enable = true;
  virtualHosts."".extraConfig = ''
    encode gzip
    root * ${
      pkgs.runCommand "testdir" {} ''
        mkdir "$out"
        echo hello world > "$out/example.html"

Reverse proxy

The following snippet creates a reverse proxy for the domain, redirecting all requests to

services.caddy = {
  enable = true;
  virtualHosts."".extraConfig = ''


Redirecting and to

services.caddy = {
  enable = true;
  virtualHosts."" = {
    extraConfig = ''
    serverAlias = [ "" ];


Serving a PHP application in /var/www on http://localhost .

services.caddy = {
  enable = true;
  virtualHosts."http://localhost" = {
    extraConfig = ''
      root    * /var/www
      php_fastcgi unix/var/run/phpfpm/localhost.sock

You'll need a PHP-FPM socket listening on Unix socket path /var/run/phpfpm/localhost.sock.


Check used ports

To check if Caddy is running and listening as configured you can run netstat:

$ netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q  Local Address      Foreign Address         State       PID/Program name    
tcp        0              0*               LISTEN      1202/caddy          
tcp6      0              0          :::80                               :::*                  LISTEN      1202/caddy          
tcp6      0              0          :::443                             :::*                  LISTEN      1202/caddy          
udp6     0              0          :::443                             :::*                                    1202/caddy

The tcp (ipv4) socket port 2019 is Caddy's management endpoint, for when you want manage its config via web REST calls instead of Nix (ignore). The tcp6 (an ipv6 socket that also listens on ipv4) socket on port 80 (HTTP) and 443 (HTTPS) indicate that a virtualhost config was used.

Check connections

You can also use curl to test http(s) calls. However, you must set the "Host" header correctly when testing locally:

$ curl localhost -H "Host:"

for an virtualhost config like

services.caddy = {
  enable = true;
  virtualHosts."".extraConfig = ''
    respond "Hello, world!"

If the response is empty, try setting a port number like 80 and/or try a local TLS security certificate instead of global LetsEncrypt:

services.caddy = {
  enable = true;
  virtualHosts."".extraConfig = ''
    respond "Hello, world!"
    tls internal

With "tls internal" Caddy will generate a local certificate, which is good when testing locally and/or you don't have internet access (e.g. inside a nixos-container).

See also