appliku_start VS Caddy

The readme of the example app just says "R":

https://github.com/appliku/appliku_start

Fun fact, the website is "dynamically static", it's just markdown files being processed and rendered by Caddy itself using https://caddyserver.com/docs/caddyfile/directives/templates. It's also how the https://caddyserver.com/ is built as well. Also includes syntax highlighting for Caddyfile config, using a library called Chroma; I wrote the Caddyfile lexer myself a while back! I think it's pretty neat that Caddy can syntax highlight its own code 😁

Ask in the correct places for support: https://github.com/goauthentik/authentik/discussions and https://github.com/caddyserver/caddy/issues

5Y old post that sounds like they've done similar here: Caddy Issue Istio Issue but doesn't cover much of the implementation

Caddy is a web server like nginx. The biggest advandage of Caddy over nginx is, that it handles HTTPS automatically. You can find the script to install Caddy in their documentation.

This approach offers a level of customizability similar to what xcaddy does for the Caddy server, eliminating the complexities associated with writing Rhai scripts to customize a precompiled binary, as is the case with the Apollo Router.

Go is patching it soon: https://github.com/caddyserver/caddy/issues/5877#issuecommen...

(Caddy just uses Go's HTTP/2 implementation.)

Unfortunately, the CVE database(s) are too noisy to be useful. It could benefit from higher standards and more thorough vetting. (Maybe take some lessons from academia.)

A "security researcher" once filed a CVE for a regular bug in Caddy [0], making claims that were totally provably false. It was assigned 7.5... the same as Heartbleed [1] -- yes, the one that leaked almost all the private encryption keys on the Internet back in 2014.

More recently I inadvertently discovered a 0-day RCE in acme.sh [2]. (ACME clients are security-sensitive contexts since they typically deal with private keys and download signed credentials.) Anyway, it was assigned a CVSS 3.x score of * 9.8 * [3] -- I imagine that should be like "cyber-nuclear meltdown" territory, but no, this was actually benign as far as we can tell. Probably deserves more like a 5 or 6 or something.

Anyway, the whole system is broken, and I'm effectively ignoring CVEs now. But if someone tells me to patch my , I'll probably just do that.

[0]: https://github.com/caddyserver/caddy/issues/4775

[1]: https://nvd.nist.gov/vuln/detail/cve-2014-0160

[2]: https://matt.life/writing/the-acme-protocol-in-practice-and-...

[3]: https://nvd.nist.gov/vuln/detail/CVE-2023-38198

https://caddyserver.com/ is implemented in Go, production-ready, and easy to setup with a one-liner (though personally I would use official binaries or compile from source rather than use the builds from a distro package manager)

It’s had an Apache-2.0 license for at least the last 4 years: https://github.com/caddyserver/caddy/blob/master/LICENSE