This page provides a practical minimal Caddy baseline for current Debian and RHEL systems.
/etc/caddy/Caddyfile
/etc/caddy/Caddyfile
Default service account is typically caddy.
example.com {
root * /var/www/example.com/public
encode zstd gzip
file_server
# Modern security headers
header {
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy strict-origin-when-cross-origin
X-XSS-Protection "1; mode=block"
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Content-Security-Policy "default-src 'self' http: https:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
}
log {
output file /var/log/caddy/example-access.log
format json
}
}
example.com {
encode zstd gzip
reverse_proxy 127.0.0.1:3000 {
health_uri /health
health_interval 10s
health_timeout 2s
}
# Enhanced security headers for reverse proxy
header {
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy strict-origin-when-cross-origin
X-XSS-Protection "1; mode=block"
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Content-Security-Policy "default-src 'self' http: https:; script-src 'self' 'unsafe-inline' http: https:; style-src 'self' 'unsafe-inline' http: https:"
}
log {
output file /var/log/caddy/example-access.log
format json
}
}
encode zstd gzip: Reduces bandwidth usage and improves response times.reverse_proxy: Forwards traffic to upstream app services.health_uri and health timings: Helps fail fast on unhealthy backends.header { ... }: Baseline browser hardening headers.log to file with JSON: Easier integration with centralized logging.Validate Caddyfile syntax before reload:
sudo caddy validate --config /etc/caddy/Caddyfile
Apply changes:
sudo systemctl reload caddy
Check service status:
sudo systemctl status caddy
/var/log/caddy and web root paths are writable/readable by caddy where required.Caddy provides native support for HTTP/3 over QUIC protocol. To enable HTTP/3 for your sites:
example.com {
# Enable HTTP/3 support
handle {
# Your site configuration
}
# HTTP/3 is enabled by default when TLS is configured
# You can explicitly set QUIC options if needed
servers {
protocol {
experimental_http3 {
# HTTP/3 specific settings
}
}
}
}
For sites that should only serve HTTP/3:
example.com {
# Force HTTP/3 only
respond "Upgrade to HTTP/3" 426
servers {
protocol {
experimental_http3 {
max_concurrent_streams 100
idle_timeout 30s
}
}
}
}
127.0.0.1 or internal VLAN).