I would not directly expose Jellyfin to the Internet (including reverse proxy) because of security issues they’ve had. And no, a reverse proxy (like Caddy) doesn’t usually add much insecurity or security^.

The thing I currently do is use forward_auth w/ Authelia (from anywhere, you could also use basic_auth though the UX sucks) but bypass it for the app in private IP ranges (aka at home or in VPN):

jellyfin.example {
        @notapp {
                not {
                        header User-Agent *Jellyfin*
                        client_ip private_ranges
                }
        }

        forward_auth @notapp localhost:8080 {
                uri /api/verify?rd=https://authelia.example/
        }
        reverse_proxy 192.168.1.44:8080
}

Apps get to continue working, and I can access it from my phone without a VPN setup (because it’s annoying and I only look at metadata on my phone anyway).

You can also do a simpler config (which I used to do) where you just give an HTTP Unauthorized for anything outside of private ranges (this lets you do the HTTP challenge for a certificate while still not exposing Jellyfin to the general internet).

^You can configure more security by doing authentication in the reverse proxy so that anyone trying to attack services behind it must first authenticate with the reverse proxy, but this is not the default. Security-wise this ends up similar to forcing all access through a VPN first, if a little harder to setup.

it is what you mean…no less no more…Caddy rocks…

Caddy is very basic, and thats why it works so easily. There is nothing wrong with it.

However it lacks some features that other reverse proxies offer. But if you dont need any of those, use Caddy.

Additional security? Not directly. But fail2ban and CrowdSec are easily set up too. And Caddy also combines very well with Authelia for authentication.

What is it? Is it an alternative to unraid?

I switched from Traefik to Caddy a few years ago and have no ragrets. The only complaints I have about Caddy:

• It doesn’t support configuring virtual hosts automatically via docker labelsl (like Traefik).
• Many features (like DNS auth for certs) require compiling Caddy. Which is easy but annoying.

Caddy is a great, easy web server. It honestly has some pretty good performance too. If you want to see some good tests against nginx, take a look at this:

https://blog.tjll.net/reverse-proxy-hot-dog-eating-contest-caddy-vs-nginx/

tldr: Optimized nginx does outperform caddy in some areas in under heavy load, and they have a completely different strategies to handle failure. Under very heavy load Nginx just starts dropping and refusing connections to keep itself fast, while caddy will dramatically slow down response times in order to keep failures from happening.

It’s no different than NGiNX, put in your config and it just works.

I started with caddy because it seemed to have the least complex config file even though the documentation lacks examples which I found really annoying when troubleshooting or trying any less basic stuff. I also found certificate related issues really hard to fix.

Now I run nignx-proxymanager as a docker-container which unifies nearly all services into portainer for updating therefore making it easier to keep my stuff up to date. nginx-proxymanager is also much easier imo on the certificate side of things. I create wildcard certificates for a few domains and select the right one depending on the proxy I add. I also use forwards for a few of my shelly-devices which don’t seem to work with proxies and make it easier for me to access them via a domain instead of memorizing a growing number of IPs.

How do you compare Caddy with nginx proxy manager?

Used Caddy for years and after a week of Nginx Proxy Manager I never went back to Caddy.

Lack of docker labels is a downer, but it’s the best reverse proxy I have used. Recently started a project to run containers with caddy

https://github.com/scmmishra/slick-deploy

Caddy is great, been using it for a long time and made the switch from v1 to v2. The biggest negative, IMO, is that examples are usually for NGINX. This is fine if all you have to do is to translate the nginx 5-liner into a Caddy 1-liner, but for nextcloud, the code was a bit more complicated and required some googling (as people had that issue before and their forums are helpful).

LLMs can also be useful for translating nginx directives to caddy.

I personally use Caddy alongside Cloudflare.

Caddy for SSL, Cloudflare for geoblocking & analytics.

there are some trade offs, mostly performance

Can somebody explain in plain English what it is used for?