apex VS Caddy

Just skimmed through the generated one for go and seems like it's listing the package apex, which is archived (which usually means deprecated), so I'm not sure how useful the tool is!

Apex (label: contrib (easy)) Build, Deploy, and Manage AWS Lambda functions with ease

Unfortunately, the CVE database(s) are too noisy to be useful. It could benefit from higher standards and more thorough vetting. (Maybe take some lessons from academia.)

A "security researcher" once filed a CVE for a regular bug in Caddy [0], making claims that were totally provably false. It was assigned 7.5... the same as Heartbleed [1] -- yes, the one that leaked almost all the private encryption keys on the Internet back in 2014.

More recently I inadvertently discovered a 0-day RCE in acme.sh [2]. (ACME clients are security-sensitive contexts since they typically deal with private keys and download signed credentials.) Anyway, it was assigned a CVSS 3.x score of * 9.8 * [3] -- I imagine that should be like "cyber-nuclear meltdown" territory, but no, this was actually benign as far as we can tell. Probably deserves more like a 5 or 6 or something.

Anyway, the whole system is broken, and I'm effectively ignoring CVEs now. But if someone tells me to patch my , I'll probably just do that.

[0]: https://github.com/caddyserver/caddy/issues/4775

[1]: https://nvd.nist.gov/vuln/detail/cve-2014-0160

[2]: https://matt.life/writing/the-acme-protocol-in-practice-and-...

[3]: https://nvd.nist.gov/vuln/detail/CVE-2023-38198

https://caddyserver.com/ is implemented in Go, production-ready, and easy to setup with a one-liner (though personally I would use official binaries or compile from source rather than use the builds from a distro package manager)

It’s had an Apache-2.0 license for at least the last 4 years: https://github.com/caddyserver/caddy/blob/master/LICENSE

Same for Caddy which is even easier than nginx https://caddyserver.com/

Header that is impossible to turn off since it's hardcoded here: https://github.com/caddyserver/caddy/blob/master/modules/cad...

The developer's annoying response is "it doesnt improve privacy or security, so we won't give you the option to remove it".

Nope that's https://caddyserver.com/, which also improves on nginx in a number of other ways.

Honestly when I saw this post on the top of HN I thought I'd time-warped back to 2013. There is a better choice today. It's called Caddy.

I've tried to extend my work day by checking on projects from the train. Absent spotty data coverage, I've found GitHub works fine and I can do light code reviews easily.

GitHub pulse[1] is a great UI for looking at recent activity. This page is bare for the SQLite mirror because they don't work on GitHub so it only has commit history. The linked Caddy project is a better example. IMO it looks more useful than the timeline.

I wonder if anyone's built the equivalent view for git/GitHub already. Shouldn't be too difficult.

[1] https://github.com/caddyserver/caddy/pulse

Caddy where possible, and acme.sh or lego where not.

Have anyone tried other reverse-proxy for deploying webapps such as traefik: https://github.com/traefik/traefik caddy: https://github.com/caddyserver/caddy