← Back to Docs

Caddy Primer

Reverse proxy, automatic HTTPS, and zero-downtime reloads for your Meridian deployment.

Why Caddy

Caddy is a single-binary web server written in Go. It obtains and renews TLS certificates automatically via Let's Encrypt or ZeroSSL, handles HTTP/2 and HTTP/3 out of the box, and reloads its configuration without dropping connections. For Meridian deployments, Caddy sits in front of the Next.js server and terminates TLS, strips path prefixes, and injects security headers.

Minimal Caddyfile

your.domain {
  reverse_proxy localhost:3000
  header {
    X-Content-Type-Options nosniff
    Referrer-Policy strict-origin-when-cross-origin
  }
}

Place this Caddyfile in /etc/caddy/ and run caddy reload.

Path Rewriting

When Meridian serves an API under a subpath, use handle_path to strip the prefix before forwarding:

handle_path /api/* {
  reverse_proxy localhost:4000
}

Rate Limiting

Caddy's rate_limit directive protects Meridian endpoints from abuse. The example below allows 10 requests per second per client IP with a burst of 20:

order rate_limit before basicauth
rate_limit {
  zone dynamic {
    key {remote_host}
    events 10
    window 1s
    max_events 20
  }
}

Next Steps

For production hardening, combine Caddy with a deployment guide that covers systemd units, log rotation, and firewall rules. Caddy's official docs at caddyserver.com are the authoritative reference for every directive.