What are you using infront of your webapp? and more importantly why?<p>I used NGINX for many years, but around 1.5 year ago I switched to Caddyserver as the SSL certificates are just so nice getting them autohandled. I noticed a slight performance decrease, but for my kinda services it is not so important.<p>But I am curious, what do you use? and more importantly why?
We use HAProxy at the load balancers, and HAProxy/Varnish/Apache on the individual app server VMs.<p>This separates concerns completely:<p>- HAProxy knows about and manages the TLS, balancing, client routing etc;<p>- Varnish knows about and manages response caching and ESI processing (and often a combination of both);<p>- Apache knows about and runs the various backend services (a php web app, a couple of ruby third party tools, etc)<p>Nginx has some significant downsides to what we currently use, unless we opt for the paid version which best I can tell is ~$1K/instance/month. These aren't hypothetical differences these are features we actually use:<p>- no sync for load balancing data (sticky peer data, rate limit data, etc): HAProxy supports this out of the box;<p>- no active health checks: HAProxy supports this out of the box;<p>- no API for purging cache: Varnish supports this out of the box.<p>- no ESI support:
Varnish supports this out of the box. Best I can tell even the paid version of nginx doesn't support this.
CDNs, ingress, etc... haven't had to use a web proxy directly for years. At the end of the day funnily enough it's still nginx or similar behind the scenes.<p>Caddy for local development. Less config and setup.
I use Nginx:<p><pre><code> - as a layer on top the app servers for not having to expose Node.js, and loadbalancing app servers,
- brotli_static,
- serving avif conditionally[1]
- anonymizing IPs in logs
- injecting the caching headers
- injecting the CSP header
- SSL Offloading
</code></pre>
Autorenewing SSL certificates within the server is not appealing to me because externally running a script to renew them is not much more complex and it's more secure.<p>I mean, the autorenew bots need more priviledges, such as:<p><pre><code> - HTTP challenges need to be via HTTP (not HTTPS) [2],
- HTTP challenges need write permissions on a servable directory,
- DNS or HTTP challenges would need a program on a live server,
- need ‘pass out’ firewall exceptions without IP scope. "We don’t publish a list of IP addresses we use to validate… Let’s Encrypt" [3]
</code></pre>
1. <a href="https://blog.uxtly.com/conditional-avif-for-video-posters" rel="nofollow">https://blog.uxtly.com/conditional-avif-for-video-posters</a><p>2. <a href="https://datatracker.ietf.org/doc/html/rfc8555#section-8.3" rel="nofollow">https://datatracker.ietf.org/doc/html/rfc8555#section-8.3</a><p>3. <a href="https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let-s-encrypt-use-to-validate-my-web-server" rel="nofollow">https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let...</a>