1. 14

Caddy-Sponsors HTTP Header

As of version 0.10.9, Caddy emits an HTTP response header, Caddy-Sponsors, which is similar to the Server header that Caddy already has, except that this one credits our sponsors who make it possible to keep Caddy free for personal use. This header cannot be removed by the Caddyfile, and its presence is required by the non-commercial EULA. This requirement is waived by the commercial license, so the header is not present in those binaries.


  2. 11

    I think I’ll pass. I kind of like the ability to edit binaries when I feel like it. (Regardless of the legal status of enforcement of such measures.)

    1. 7

      You probably know, but this EULA only applies to their binaries you download from caddyserver.com. So you can totally pass on the build server at caddyserver.com, pretend it didn’t exist (like it doesn’t for 99% of open source projects), and carry on using Caddy, building your binaries, modifying them, and anything you like.

      1. 12

        I don’t know, man… Technically the EULA forbids trying to discover the source code, so once you download the binary version, you’re not allowed to go back and download the source. Maybe that’s not what they meant, but I think they should have picked their words with more care.

        3.1 You SHALL NOT, and shall not allow any third party, to: (a) decompile, disassemble, or otherwise reverse engineer the Software or attempt to reconstruct or discover any source code, underlying ideas, algorithms, file formats or programming interfaces of the Software by any means whatsoever (except and only to the extent that applicable law prohibits or restricts reverse engineering restrictions);

        1. 6

          I’m so sure that’s not what they meant that I’ll ping them your comment. :)

          (And I’ll eat my hat if it’s ever enforced or attempted to, but I see that’s not the point for you.)

          1. 11

            (This sounds like I’m really angry, but I’m not. Just kinda annoyed.)

            Seems like only yesterday Equifax was caught trying to trick users into agreeing to arbitration. Of course, their excuse was that it was only boiler plate and never meant to be enforced, yada yada. Maybe people should read their shitty contract language before asking people to agree to it. Wouldn’t that be nice?

            What does the EULA even accomplish? Anybody willing to pay $50/month for a web server isn’t going to be futzing around with IDA trying to edit the binary. The free crowd is going to build from source. “Please don’t remove the banner without paying.” would be just as effective, and far less dickish.

            It’s like a pawn shop with giant iron bars and a revolving mantrap front door. It signals to me that their clients are generally murderous thieving rats, so maybe I’ll just move along.

            1. 4

              They explicitly say that if you don’t like the header, you should compile it yourself.

              Well, we think our sponsors are pretty awesome. But we’re huge proponents of preserving and expanding individual freedom. If you object to any of our sponsors being named in an invisible response header on your personal website, you may freely compile Caddy from source without that header.

              The whole point of the sponsors header is to cover their free build service. If you don’t use that, you don’t need the header.

              1. 2

                Contract law can be complicated. I can put a table out on the sidewalk and give away free tacos, but if I get you to sign a contract that says “I will not eat Ted’s tacos” then you can’t have any tacos, even though there’s a sign that says “free tacos” right there on the table.

    2. 4

      Is it just me, or does $50 per instance/month seem a bit steep for the position that Caddy is in? Maybe $50 per instance/year?

      Admittedly, I’ve not priced out HTTP servers before (because I’ve mostly used nginx, and just not given the matter much thought), and I understand that money will help them work on this server, but Caddy was free before, and now they’ve added a lot of licensing headaches for anyone that wants to use it and potentially make money.

      1. 2

        I think it’s a brilliant price point; cheap enough that developers at bigger corporates (who want to support the caddy project) can get sign-off from a single low-level manager to spend the money, while being expensive enough to turn a profit.

        Everyone else will compile it themselves (it’s really easy to build Caddy from source)

        1. 1

          But are you allowed to build it yourself and use that commercially? That’s the question that comes to my mind, and is where the rub might be.

          1. 4

            That’s stated explicitly, in several different ways, multiple times throughout the article.

            Caddy isn’t changing licence (will remain Apache licenced). The build service (where they configure plugins and compile custom binaries for your organisation) is.

      2. 2

        No automated custom builds

        Fuck that.

        1. 1

          It just means you can’t use their ones for free any more. You’re welcome to find a different volunteer to support your work.

        2. 1

          I was toying with it yesterday after building from source. It’s cool in that it is a single binary and has sane defaults but the documentation is only fair. It’s not sufficiently compelling for me to be annoyed.

          1. 3

            Caddy has a couple of nice features for when you want to run a simple website. It auto sets up, and renews, Let’s Encrypt certs, and has a simple config format for simple websites. It’s nice when you want to throw something together quickly.

            After this license change I will probably move back to nginx. It has better certbot integration for auto-renew than when last I was setting up my server.

            1. 1

              I was excited when I saw it several months ago because the not-quite-zero-config web server in my dev directory trick is cool but I already know my way around apache, nginx, etc. for anything more persistent. The auto TLS feature is great, I guess, if you don’t know or don’t want to know about the workings of it. I did figure out how to get it to use certbot refreshed certs without it using .well_known or having dynamic dns updates, it’s trivial to specify the pems, but it’s not well represented in the docs.