You are putting a web app behind a reverse proxy, and the two names that keep coming up are Caddy and Nginx. They solve the same problem — terminate TLS, route requests, serve static files, balance load — but they make different bets about who does the tedious parts. This is a look at where each one earns its keep in 2026, and how to pick without relitigating the decision in six months.
We ran both in front of the same Go and Node backends to see where the daily friction actually lives. The short version: Nginx still wins on raw efficiency and ecosystem depth, and Caddy wins on getting a correct HTTPS setup running in a single file. Which of those matters more depends entirely on your situation.
The config and TLS gap is the whole story
The clearest difference shows up before you serve a single request. A minimal Caddy site that gets a valid certificate, redirects HTTP to HTTPS, and reverse-proxies to a backend is three lines:
example.com {
reverse_proxy localhost:8080
}
Caddy requests, installs, and renews the certificate over ACME (Let's Encrypt, with ZeroSSL as fallback) on its own. There is no certbot cron job, no renewal hook, no separate config block for the challenge. HTTP/3 over QUIC is on by default. When the certificate is 30 days from expiry it renews in the background, and if renewal fails it keeps trying while serving the existing cert.
The equivalent Nginx setup is a server block of fifteen-plus lines, plus a separately installed and scheduled certbot (or acme.sh) to obtain and rotate the certificate, plus the ssl_certificate and ssl_certificate_key paths wired in by hand. Nothing here is hard, but every piece is a thing you own and can forget. The most common Nginx outage we have watched teams hit is an expired cert because a renewal timer silently stopped firing.
Caddy exposes a live admin API on
localhost:2019. You can POST a new config and it reloads with zero dropped connections — nonginx -s reload, no PID juggling. For anything that re-templates config from a control plane, this alone can justify the switch.
Nginx's config language is more verbose, but verbosity buys you precision. Two decades of Stack Overflow answers, Server Fault threads, and vendor docs assume Nginx syntax. When you need an obscure header rewrite, a tricky try_files chain, or rate limiting keyed on a custom variable, the answer almost certainly exists already in Nginx form. Caddy's documentation is good and improving, but the long tail of weird production edge cases is thinner.
Performance, memory, and the honest tradeoff
Nginx is written in C with an event-driven, worker-process model that has been tuned since 2004. Caddy is written in Go, which gives you the single static binary and trivial cross-compilation but also a garbage collector that does real work under load.
In published benchmarks and our own static-file tests, Nginx tends to hold a CPU and memory advantage at high concurrency — it does more requests per core and idles in a smaller resident footprint. Caddy is competitive for most workloads and the gap narrows once TLS and proxying dominate the cost, but if you are saturating hardware and counting cores, Nginx is the safer bet. We are deliberately not quoting a single headline multiplier here, because the number swings hard with payload size, keep-alive settings, and TLS version — anyone who gives you one clean figure is selling something.
For the workloads most developers actually run — a few hundred to a few thousand requests per second in front of an application server that is itself the bottleneck — the proxy is not your constraint, and the difference is academic. Your Postgres query or your Node event loop will fall over long before either proxy breaks a sweat.
Extending each tool is also a different shape of effort. Caddy plugins are compiled in with xcaddy, producing a new custom binary — clean, but a build step you have to manage in CI. Nginx uses dynamic modules or a recompile, and the Lua ecosystem via OpenResty unlocks scripting that has no direct Caddy equivalent. If your proxy layer needs real programmability, OpenResty is still in a class of its own.
If you are spending a lot of time hand-editing either config format, a modern editor with structured autocomplete and inline AI help removes a real chunk of the busywork — closing brace mismatches in Nginx blocks and Caddyfile indentation errors are exactly the class of mistake it catches before reload.
So which one should you run?
Reach for Caddy when you are standing up a new service and want correct, auto-renewing HTTPS with the least configuration possible — internal tools, side projects, container sidecars, and small-to-mid production apps where a single readable Caddyfile beats a directory of conf snippets. It is the faster path from zero to a green padlock.
Reach for Nginx when you are operating at scale, need to squeeze the most out of fixed hardware, already have Nginx expertise on the team, or depend on the mature module and Lua ecosystem. It is also the default in countless tutorials and Kubernetes ingress setups, so the operational knowledge is everywhere.
This is not a religious choice. Plenty of stacks run Caddy at the edge for painless TLS and Nginx or HAProxy deeper in for tuned load balancing. Picking one for your front door does not commit you to it everywhere.
The honest decision rule: if certificate management and config readability are your pain, Caddy removes that pain on day one. If raw efficiency, deep tunability, or matching your existing ops playbook matter more, Nginx remains the workhorse it has been for twenty years. Both are free, both are stable, and you can prototype either in an afternoon — so the cheapest way to decide is to run your real traffic through each for a day.
Originally published at pickuma.com. Subscribe to the RSS or follow @pickuma.bsky.social for new reviews.
Top comments (0)