I used NGINX for many years, but around 1.5 year ago I switched to Caddyserver as the SSL certificates are just so nice getting them autohandled. I noticed a slight performance decrease, but for my kinda services it is not so important.
But I am curious, what do you use? and more importantly why?
This separates concerns completely:
- HAProxy knows about and manages the TLS, balancing, client routing etc;
- Varnish knows about and manages response caching and ESI processing (and often a combination of both);
- Apache knows about and runs the various backend services (a php web app, a couple of ruby third party tools, etc)
Nginx has some significant downsides to what we currently use, unless we opt for the paid version which best I can tell is ~$1K/instance/month. These aren't hypothetical differences these are features we actually use:
- no sync for load balancing data (sticky peer data, rate limit data, etc): HAProxy supports this out of the box;
- no active health checks: HAProxy supports this out of the box;
- no API for purging cache: Varnish supports this out of the box.
- no ESI support: Varnish supports this out of the box. Best I can tell even the paid version of nginx doesn't support this.
Caddy for local development. Less config and setup.
- as a layer on top the app servers for not having to expose Node.js, and loadbalancing app servers,
- brotli_static,
- serving avif conditionally[1]
- anonymizing IPs in logs
- injecting the caching headers
- injecting the CSP header
- SSL Offloading
I mean, the autorenew bots need more priviledges, such as:
- HTTP challenges need to be via HTTP (not HTTPS) [2],
- HTTP challenges need write permissions on a servable directory,
- DNS or HTTP challenges would need a program on a live server,
- need ‘pass out’ firewall exceptions without IP scope. "We don’t publish a list of IP addresses we use to validate… Let’s Encrypt" [3]
2. https://datatracker.ietf.org/doc/html/rfc8555#section-8.3
3. https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let...