Skip to content
Runbook

Install Caddy on Ubuntu / Debian

Modern web server with automatic HTTPS, usable as a reverse proxy and file server.

Toolweb-serverreverse-proxyhttpstlshttp

Installation

Official APT repository · apt
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install -y caddy

The Ubuntu/Debian repo ships an old Caddy; the official Cloudsmith repository provides the current release with a systemd service.

Verify the installation

Verify
caddy version

Service

Start
sudo systemctl start caddy
Stop
sudo systemctl stop caddy
Status
sudo systemctl status caddy
Restart
sudo systemctl restart caddy
On boot
sudo systemctl enable caddy

Important files

TypePathDescription
config/etc/caddy/CaddyfileMain configuration file read by the systemd service.
data/var/lib/caddyState directory where TLS certificates are stored.

Default ports

80443

Command-line tools

  • caddyServer and CLI; the package also installs the caddy systemd unit.

Uninstall

Uninstall
sudo systemctl stop caddy
sudo apt purge -y caddy
sudo rm -f /etc/apt/sources.list.d/caddy-stable.list

Good to know

  • The package installs a caddy systemd service running as the caddy user, with the capability to bind ports 80/443.
  • Edit /etc/caddy/Caddyfile, then apply with sudo systemctl reload caddy.
  • Certificates and state live under /var/lib/caddy; back this up to avoid re-issuing certificates.

Installation on Ubuntu

The caddy package in the default Ubuntu/Debian repository is usually outdated. Use the official Cloudsmith APT repository: the commands above add its signing key and source list, then install the current Caddy with a ready-made systemd service.

The systemd service

The package runs Caddy as the caddy system user via a unit granted CAP_NET_BIND_SERVICE, so it can bind ports 80 and 443 without running as root. Edit /etc/caddy/Caddyfile, then sudo systemctl reload caddy to apply changes with zero downtime.

Certificates and state

Automatically issued TLS certificates and Caddy's state are stored under /var/lib/caddy. Preserve this directory across reinstalls to avoid hitting certificate-authority rate limits by re-issuing.