Evaluate Caddy as TLS Proxy for HTTPS Termination

[josecelano]

Research and experimentation task to evaluate Caddy as a simpler alternative to nginx+certbot for adding HTTPS termination to deployed Torrust Tracker environments.

Parent Epic: #1 - Roadmap (Item 6: Add HTTPS support)
Predecessor: #234 - Pingoo evaluation (CLOSED - Not Adopted due to lack of WebSocket support)

Overview

This evaluation follows the Pingoo evaluation (#234), which was not adopted because it strips WebSocket Upgrade headers required for Grafana Live functionality.

Why Caddy?

From Caddy's feature documentation:

• ✅ WebSocket support (full duplex, streaming) - Pingoo lacks this
• ✅ Automatic HTTPS with Let's Encrypt (HTTP-01, TLS-ALPN-01, DNS-01)
• ✅ Simple configuration via Caddyfile
• ✅ Zero-downtime reloads via API or CLI
• ✅ Built-in Prometheus metrics at /metrics
• ✅ Mature (since ~2015), large community
• Written in Go (memory-safe)

Goals

Primary Goals

• Verify WebSocket Support: Confirm Grafana Live works through Caddy (critical requirement that Pingoo failed)
• Validate Automatic HTTPS: Test certificate generation and renewal
• Compare Configuration: Document simplicity vs nginx+certbot
• Evaluate for Production: Determine if Caddy can replace nginx+certbot

Test Environment

Server (Hetzner ccx23, Ubuntu 24.04):

• Domain: torrust-tracker.com (with subdomains: api, http1, grafana)
• IP: 46.224.206.37

Directory Structure:

/opt/torrust/                    # Production deployment (no HTTPS yet)
└── docker-compose.yml + storage/

/root/experiments/               # Pingoo experiments (issue #234)
├── experiment-1/ ... experiment-4/

Target Architecture:

• Tracker API: https://api.torrust-tracker.com → http://tracker:1212
• HTTP Tracker: https://http1.torrust-tracker.com → http://tracker:7070
• Grafana: https://grafana.torrust-tracker.com → http://grafana:3000 (WebSocket!)
• UDP Tracker: udp://udp1.torrust-tracker.com:6969 (no TLS)

Implementation Plan

Phase 1: Environment Preparation (30 min)

• Verify Hetzner server availability
• Verify DNS records point to server
• Clean up Pingoo experiments
• Ensure ports 80 and 443 are open

Phase 2: Experiment - Full Stack with Caddy (2-3 hours)

Deploy complete production stack with Caddy:

• Caddy service (ports 80, 443)
• Tracker (API + HTTP + UDP)
• Prometheus
• Grafana

Critical Test: Grafana WebSocket connections (must preserve Upgrade header)

Phase 3: Documentation and Decision (1-2 hours)

• Create research directory: docs/research/caddy-tls-proxy-evaluation/
• Document experiment results
• Compare with Pingoo evaluation
• Write recommendation
• Create ADR if adopting

Acceptance Criteria

Functional:

• All services accessible via HTTPS with valid Let's Encrypt certificates
• Tracker API and HTTP tracker work correctly
• Grafana WebSocket connections work (critical - Pingoo failed this)
• Grafana Live real-time updates functional
• No disconnections over 5-minute monitoring period

Documentation:

• Research directory created with experiment results
• Comparison with Pingoo evaluation documented
• Clear recommendation provided
• ADR created if adopting Caddy

References

• Caddy Official Documentation
• Caddy Docker Image
• Pingoo Evaluation
• Grafana Live WebSocket Requirements

---

Full specification: docs/issues/evaluate-caddy-for-https-termination.md