Downloads of v 0.9.5:


Last Update:

02 Mar 2017

Package Maintainer(s):

Software Author(s):

  • Matt Holt


caddy web server


0.9.5 | Updated: 02 Mar 2017



Downloads of v 0.9.5:



Software Author(s):

  • Matt Holt


caddy web server

Caddy 0.9.5

All Checks are Passing

2 Passing Test

Validation Testing Passed

Verification Testing Passed


To install Caddy, run the following command from the command line or from PowerShell:


To upgrade Caddy, run the following command from the command line or from PowerShell:


To uninstall Caddy, run the following command from the command line or from PowerShell:


NOTE: This applies to both open source and commercial editions of Chocolatey.

1. Ensure you are set for organizational deployment

Please see the organizational deployment guide

  • Open Source or Commercial:
    • Proxy Repository - Create a proxy nuget repository on Nexus, Artifactory Pro, or a proxy Chocolatey repository on ProGet. Point your upstream to Packages cache on first access automatically. Make sure your choco clients are using your proxy repository as a source and NOT the default community repository. See source command for more information.
    • You can also just download the package and push it to a repository Download

3. Enter your internal repository url

(this should look similar to

4. Choose your deployment method:

choco upgrade caddy -y --source="'STEP 3 URL'" [other options]

See options you can pass to upgrade.

See best practices for scripting.

Add this to a PowerShell script or use a Batch script with tools and in places where you are calling directly to Chocolatey. If you are integrating, keep in mind enhanced exit codes.

If you do use a PowerShell script, use the following to ensure bad exit codes are shown as failures:

choco upgrade caddy -y --source="'STEP 3 URL'"

Write-Verbose "Exit code was $exitCode"
$validExitCodes = @(0, 1605, 1614, 1641, 3010)
if ($validExitCodes -contains $exitCode) {
  Exit 0

Exit $exitCode

- name: Ensure caddy installed
    name: caddy
    state: present
    version: 0.9.5
    source: STEP 3 URL

See docs at

Coming early 2020! Central Managment Reporting available now! More information...

chocolatey_package 'caddy' do
  action    :install
  version  '0.9.5'
  source   'STEP 3 URL'

See docs at

    Name: caddy,
    Version: 0.9.5,
    Source: STEP 3 URL

Requires Otter Chocolatey Extension. See docs at

cChocoPackageInstaller caddy
   Name     = 'caddy'
   Ensure   = 'Present'
   Version  = '0.9.5'
   Source   = 'STEP 3 URL'

Requires cChoco DSC Resource. See docs at

package { 'caddy':
  provider => 'chocolatey',
  ensure   => '0.9.5',
  source   => 'STEP 3 URL',

Requires Puppet Chocolatey Provider module. See docs at

salt '*' chocolatey.install caddy version="0.9.5" source="STEP 3 URL"

See docs at

5. If applicable - Chocolatey configuration/installation

See infrastructure management matrix for Chocolatey configuration elements and examples.

This package was approved by moderator AdmiringWorm on 09 Mar 2017.


Caddy is a lightweight, general-purpose web server for Windows, Mac, Linux, BSD and Android. It is a capable alternative to other popular and easy to use web servers. (@caddyserver on Twitter)

The most notable features are HTTP/2, Let's Encrypt support, Virtual Hosts, TLS + SNI, and easy configuration with a Caddyfile. In development, you usually put one Caddyfile with each site. In production, Caddy serves HTTPS by default and manages all cryptographic assets for you.

User Guide

Server Types

  • DNS - DNS server core (see
  • HTTP - HTTP server core; everything most sites need


  • awslambda - Gateways requests to AWS Lambda functions
  • cors - Easily configure Cross-Origin Resource Sharing
  • expires - Add expiration headers to assets
  • filemanager - Manage files on your server with a GUI
  • filter - Filter response body contents
  • git - Deploy your site with git push
  • hugo - Static site generator with admin interface
  • ipfilter - Block or allow clients based on IP origin
  • jsonp - Wrap JSON responses as JSONP
  • jwt - Authorization with JSON Web Tokens
  • locale - Detect locale of client
  • mailout - SMTP client with REST API and PGP encryption
  • minify - Minify static assets on-the-fly
  • multipass - Authorization by email
  • prometheus - Prometheus metrics integration
  • ratelimit - Limit rate of requests
  • realip - Restore original IP when behind a proxy
  • search - Site search engine
  • upload - Upload files

DNS Providers

  • cloudflare
  • digitalocean
  • dnsimple
  • dyn
  • gandi
  • googlecloud
  • linode
  • namecheap
  • ovh
  • rfc2136
  • route53
  • vultr

md5: 68BDE4D1B4258D308A9B416A0A7E10E4 | sha1: C5759CA58FFA818555F65D062DB0E2277012808A | sha256: EF25C5095BDE4AF7B033465098BD9FB72FA095D8AA04EB51FCE016A9FB6CF51A | sha512: 7033FB3A5EC97EB680129F744240D63A15A463F47E752079935A0F6A08592B8D27940C7716B9794ECA6AFE4324C81056B64AF531437E28276F14020B878D23A5
md5: AFD3FEC180E7C383E1D2156F15513CBA | sha1: 768E84090CA0551CB74D074C75337FC42BEFA4FD | sha256: 9A0EA98E3BFC266561AA521C4AD2DE7A08A780B5DBC2E27DB61DB9E85F792EFF | sha512: B946D105FAD539DCE738F247B5F3835388764C768E97AFF5C0B4B33460B0A2EB7FE69ED33C9D8DB81001AD859514F6E8AED9D882020437A4A4402DB24DBA2043
$installDir = Split-Path -Parent $MyInvocation.MyCommand.Definition

$zipFile = if (Get-ProcessorBits 32) {
    Join-Path $installDir ""
} else {
    Join-Path $installDir ""

Get-ChocolateyUnzip $zipFile $installDir
VERIFICATION.TXT is intended to assist the Chocolatey moderators and community
in verifying that this package's contents are trustworthy.

The following package files can be verified by comparing a hash of their content
to hash of the file available at the corresponding download URL.

These download URLs are what we assert to be the trusted source for those files.



Caddy's download server only serves the most recent release. As such, the URLs
above always point to the most recent Caddy release which may not match this
package version.

This package is built for Caddy version: 0.9.5.

Log in or click on link to see number of positives.

In cases where actual malware is found, the packages are subject to removal. Software sometimes has false positives. Moderators do not necessarily validate the safety of the underlying software, only that a package retrieves software from the official distribution point and/or validate embedded software against official distribution point (where distribution rights allow redistribution).

Chocolatey Pro provides runtime protection from possible malware.

Version Downloads Last Updated Status
Caddy 0.8.3 348 Monday, May 16, 2016 Approved
Caddy 263 Friday, March 11, 2016 Approved

Caddy 0.9.5 contains several critical fixes and we recommend applying the update right away. Please read these notes first, though!

Thank you to the collaborators and contributors for all your hard work (especially @tw4452852 and @lhecker - among many others, see the commit history) while I've been busy working on the new website and build infrastructure!

HTTP Timeouts Enabled by Default

Caddy aims to be secure right out of the box. In order to prevent faulty or malicious clients from seeping resources away with slowloris behavior, Caddy now enables timeouts by default. In general, this will not affect most users. However, you may need to raise or disable these timeouts depending on your legitimate visitors' needs and your server's configuration. If your visitors have legitimately slow networks or you need to hold requests for a long time (e.g. long polling or proxying long requests to a trusted backend), consider raising these timeouts.

Default timeout values:

  • read: 10s (time spent reading request headers and body)
  • header: 10s (time spent reading just headers; not used until Go 1.8 is released)
  • write: 20s (starts at reading request body, ends when finished writing response body)
  • idle: 2m (time to hold connection between requests; not used until Go 1.8 is released)

As you can see, a couple of the timeout values will begin functioning when Caddy is built on Go 1.8, expected within about a month. Go ahead and set them now; they will just start working when supported. See the timeouts pull request and docs.

Critical Uptime/Connectivity Fix

This is a little embarrassing, but if conditions were just right, Caddy would initiate a certificate renewal using the TLS-SNI-01 challenge, which would cause a deadlock. Subsequent TLS handshakes would block forever until the server stopped responding to requests. It took months to find and fix this because it only happened when very specific conditions are met: certificate needs renewal (once every 60 days), TLS-SNI-01 challenge is chosen (by roll of dice), renewal is trigged from background maintenance goroutine (not on-demand or during startup), and Let's Encrypt did not have a cached authz for that domain. Now it's fixed.

A huge thanks to Bradley Falzon (@bradleyfalzon), Miek Gieben (@miekg), and Sebestian Erhart (@xenolf) for spending considerable time to help me debug this. It wasn't possible without their hours of help.

Proxy performance improvements

We continue to iterate on Caddy's proxy functionality. Caddy was never designed to be a reverse proxy except as a very simple one, just to say that it can do it. But it turns out that proxy is one of the most popular directives. So with this release, we've improved on a recent regression that buffered request bodies. Proxy configurations with a single upstream or with try_duration unset (0) will be much faster and use less memory. We're still improving upon failure conditions and retry behavior; we had a rich discussion in #1314 about it. You should also see better HTTPS+websockets support.

Also, the deprecated proxy_header subdirective is no longer accepted; use header_upstream instead.

Minor security fixes in browse

The browse middleware was improved a bit. First, a filter textbox was added to instantly filter the listings by file name. We also now sanitize the file names and links in case, for some reason, you are not already doing that with untrusted files. I want to thank Kevin Froman (@beardog108) for the responsible reporting of this as a precaution. I also went ahead and made sure the browse directive will hide the active Caddyfile if it is within your site's root, no matter the current working directory.

Other things

There's a new -validate flag to load and parse your Caddyfile, then terminate. It will tell you if the Caddyfile is syntactically valid or not. There's also new placeholders: {when_iso} gives you the UTC timestamp in ISO 8601 format, and {rewrite_path} gives you the URI path after a rewrite ({path} gives the path as it originally was on the request before any rewrites).

Full change list:

  • New -validate flag to only check a Caddyfile, then exit
  • New {when_iso} placeholder for timestamp ISO 8601 in UTC
  • New {rewrite_path} and {rewrite_path_escaped} placeholders
  • New 'timeouts' directive to configure or disable HTTP timeouts
  • HTTP-level timeouts enabled by default
  • browse: Added textbox to filter listing in default template
  • browse: Sanitize file names and links in default template
  • browse: Ensure active Caddyfile is hidden regardless of cwd
  • fastcgi: New 'root' property, mainly for use with containers
  • markdown: Apply some front matter fields as <meta> tags
  • proxy: Fixed HTTP/2 upstream to backend; honors -http CLI flag
  • proxy: Fixed websockets over HTTPS
  • proxy: Reduced memory usage and improved performance
  • proxy: Added support for HTTP trailers
  • tls: Fixed deadlock that affected some background renewals
  • Several other smaller bugs squashed and improvements made

Thanks for continuing to use Caddy!

This package has no dependencies.

Discussion for the Caddy Package

Ground Rules:

  • This discussion is only about Caddy and the Caddy package. If you have feedback for Chocolatey, please contact the Google Group.
  • This discussion will carry over multiple versions. If you have a comment about a particular version, please note that in your comments.
  • The maintainers of this Chocolatey Package will be notified about new comments that are posted to this Disqus thread, however, it is NOT a guarantee that you will get a response. If you do not hear back from the maintainers after posting a message below, please follow up by using the link on the left side of this page or follow this link to contact maintainers. If you still hear nothing back, please follow the package triage process.
  • Tell us what you love about the package or Caddy, or tell us what needs improvement.
  • Share your experiences with the package, or extra configuration or gotchas that you've found.
  • If you use a url, the comment will be flagged for moderation until you've been whitelisted. Disqus moderated comments are approved on a weekly schedule if not sooner. It could take between 1-5 days for your comment to show up.
comments powered by Disqus