Caddy or nginx - which should I use?

Caddy is the fastest path to correct HTTPS: it obtains and renews Let's Encrypt certificates automatically with zero extra steps, and its config is tiny. nginx is the more ubiquitous default with the largest ecosystem, but you pair it with certbot to get and renew certificates. For a new self-hosted app, Caddy gets you to working HTTPS in the fewest moves; pick nginx if your team already runs it.

Why put a reverse proxy in front of my app at all?

So your app process never faces the raw internet. The proxy terminates TLS (HTTPS), adds security headers, handles compression and websockets, can rate-limit and block abuse, and lets you run several apps on one box behind one IP. Your app just listens on localhost and does its job; the proxy handles everything edge-facing - which is one of the operations a managed platform did for you invisibly.

Does this set up auto-renewing certificates?

With Caddy, yes - certificate issuance and renewal are automatic and built in. With nginx, the generated commands use certbot, which installs a renewal timer so certificates renew before they expire. Either way you should confirm renewal works once (Caddy logs it; for certbot run 'certbot renew --dry-run').

Free tool · Runs in your browser · Nothing uploaded

Put your app behind HTTPS.

Your app should never face the raw internet. Point a domain at it, pick Caddy or nginx, and get a production reverse-proxy config with automatic HTTPS, security headers, and websockets — plus the commands to install it on a box you own.

Your domain

App is running on

Security headers (HSTS, nosniff, frame) WebSocket support Compression (gzip) Redirect www → root

Caddyfile

Install commands

The edge layer you inherit

On a managed platform, HTTPS just happened. Certificates, renewal, security headers, HTTP/2, gzip, the redirect from http to https — all handled before your code ever ran. Move to a box you own and that edge becomes yours to set up and keep correct. A reverse proxy is how you do it cleanly: your app stays on localhost doing one job, and everything internet-facing lives in one config you can read.

Getting it right once is a copy-paste. Keeping it right across every service and host — certs that renew, headers that stay set, configs that don't drift — is the ongoing work. That's the layer a control plane manages for you.

Related free tools

systemd service generatorKeep your app running Backup script generatorDump, offsite, restore RPO / RTO calculatorData loss + downtime Log rotation estimatorWhen logs fill the disk

All free tools →

Correct HTTPS is step one. Keeping it correct is the job.

Infraveil manages the edge, the services behind it, and the proof that nothing drifted — across every host you own, from one place. Self-hosted, without the self-managed sprawl.

See how it works

Get the self-hosting edge playbook

TLS, proxies, headers, and hardening for a backend you run yourself. No spam.