Skip to content

Evaluate Caddy for HTTPS Termination#271

Merged
josecelano merged 8 commits intomainfrom
270-evaluate-caddy-for-https-termination
Jan 13, 2026
Merged

Evaluate Caddy for HTTPS Termination#271
josecelano merged 8 commits intomainfrom
270-evaluate-caddy-for-https-termination

Conversation

@josecelano
Copy link
Copy Markdown
Member

@josecelano josecelano commented Jan 13, 2026

Summary

Evaluation of Caddy v2.10 as TLS termination proxy for Torrust Tracker deployments.

Status: ✅ Evaluation Complete - Recommend Adoption

Closes #270

Key Results

  • WebSocket support works perfectly (Pingoo's critical failure point)
  • Automatic Let's Encrypt certificates (~3-4 seconds for 3 domains)
  • Simple configuration (21 lines vs nginx+certbot complexity)
  • All HTTPS endpoints verified:
    • Tracker API: /api/health_check → HTTP/2 200
    • HTTP Tracker: /announce and /health_check → HTTP/2 200
    • Grafana UI: redirect to login → HTTP/2 302
  • Production-ready with automatic certificate renewal
  • Built-in HTTP/3 (QUIC) support

WebSocket Test (Critical)

URL: wss://grafana.torrust-tracker.com/api/live/ws
Status: 101 Switching Protocols
Result: ✅ Dashboard live updates working perfectly

This was the critical failure point for Pingoo (#234).

Documentation

  • Experiment Report: docs/research/caddy-tls-proxy-evaluation/experiment-full-stack.md
  • Conclusion: docs/research/caddy-tls-proxy-evaluation/conclusion.md
  • Configuration Files: docs/research/caddy-tls-proxy-evaluation/experiment-files/ (secrets redacted)

Recommendation

ADOPT CADDY as the TLS termination proxy for Torrust Tracker deployments.

Rationale:

  • Solves the critical WebSocket issue that blocked Pingoo
  • Dramatically simpler than nginx+certbot approach
  • Production-ready with automatic certificate management
  • Better protocol support (HTTP/3/QUIC built-in)
  • Lower operational overhead

Next Steps

  1. Create ADR documenting Caddy adoption decision
  2. Update deployer templates with Caddy configuration
  3. Migrate production deployments to Caddy
  4. Document Caddy configuration in user guide

Draft Status

This PR is marked as draft to allow for additional improvements while colleagues review the evaluation results.

@josecelano
docs: [#270] add caddy tls proxy evaluation results
b9e4aea 
- Complete experiment report with deployment procedure and test results
- Evaluation conclusion with recommendation to adopt Caddy
- Configuration files with redacted secrets
- WebSocket test passed (critical success criterion where Pingoo failed)
- All HTTPS endpoints verified working
- Automatic Let's Encrypt certificates (~3-4 seconds for 3 domains)
@josecelano josecelano self-assigned this Jan 13, 2026
@josecelano josecelano requested a review from da2ce7 January 13, 2026 11:37
@josecelano
refactor: [#270] fix caddyfile formatting
0a1f1e8 
- Use tabs instead of spaces for indentation (Caddy standard)
- Add comment warning about tab requirement to prevent future issues
- Fixes warning: 'Caddyfile input is not formatted'
- Verified on server after restart - no warnings
@josecelano
docs: [#270] document caddy configuration patterns
ab8b2e3 
- Add section explaining single-file vs multi-file (import) configuration
- Document trade-offs between approaches
- Recommend single-file for initial implementation (consistent with docker-compose pattern)
- Note that multi-file pattern can be adopted later if needed
@josecelano
docs: [#270] document caddy log warnings and their meaning
cd0dfa7 
- Explain HTTP/2 and HTTP/3 warnings on port 80 (expected, redirect-only port)
- Explain OCSP stapling warning (security feature working correctly)
- Clarify that all warnings indicate correct, secure behavior
- Add verification commands for HTTP/2 and HTTP/3 on port 443
- Add OCSP to project dictionary
@josecelano
feat: [#270] add healthcheck to caddy container
eb66f6c 
- Use 'caddy validate' command to verify configuration is valid
- Follows same healthcheck pattern as other services (Prometheus, Grafana)
- Verified working on test server (status: healthy)
- Healthcheck runs every 10s with 5s timeout
@josecelano
docs: [#270] document tracker's built-in healthcheck
e44754f 
- Add comment clarifying healthcheck is built into torrust/tracker image
- Documents endpoint: http://localhost:${HEALTH_CHECK_API_PORT}/health_check
- Prevents future confusion about missing healthcheck configuration
@josecelano
docs: [#270] add caddy security scan and workflow update notes
299cccd 
- Add comprehensive security scan for caddy:2.10 image
- Document 4 vulnerabilities (3 HIGH, 1 CRITICAL) in dependencies
- Scan shows Alpine base is clean, vulnerabilities only in Go binary deps
- Assessment: Safe to deploy with monitoring, patches expected soon
- Add Phase 6 to implementation plan: Update security workflow
- Document requirement to add caddy to .github/workflows/docker-security-scan.yml
- Add 'smallstep' to project-words.txt for spell checking
- Add experiments/ to .gitignore to prevent committing files with secrets
@josecelano josecelano marked this pull request as ready for review January 13, 2026 13:57
@josecelano
docs: [#270] deploy caddy to production and update structure
5026ea9 
- Deploy Caddy configuration to production at /opt/torrust/
- Move Caddyfile to storage/caddy/etc/ following project conventions
- All services running healthy with HTTPS working
- Update experiment-files to match production structure
- Add production-deployment.md documenting deployment process
- Update conclusion.md and README.md with production status
- Production serves as reference for future Tera template creation
@josecelano josecelano force-pushed the 270-evaluate-caddy-for-https-termination branch from 5dfb0bb to 5026ea9 Compare January 13, 2026 15:32
@josecelano
Copy link
Copy Markdown
Member Author

josecelano commented Jan 13, 2026

ACK 5026ea9

@josecelano josecelano merged commit 5dda1ae into main Jan 13, 2026
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@da2ce7 da2ce7 Awaiting requested review from da2ce7

Assignees

@josecelano josecelano

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Evaluate Caddy as TLS Proxy for HTTPS Termination

1 participant

@josecelano