For more than a decade the web server market has been a duopoly. NGINX, built to solve the C10K concurrency problem, and Apache, the battle-tested workhorse that still powers a huge share of the internet, have divided most of the territory between them. Then along came Caddy — a Go-based server that does one thing no rival does out of the box: automatically provision, renew, and staple TLS certificates without a single extra command.

In 2025–2026 that single differentiator has pulled Caddy into serious production infrastructure. The question is whether operational convenience can compete with the raw horsepower and battle-hardened ecosystems of NGINX and Apache.

Performance: NGINX Still Leads, But the Gap Is Narrowing

Multiple independent benchmarks published between late 2025 and mid-2026 — on bare-metal Hetzner hardware, 16-core ARM servers, and 4-core KVM VMs — point to the same hierarchy for static-file throughput:

Static File Throughput · Requests per Second (400 concurrent connections)

NGINX
78 k req/s
Caddy
65 k req/s
Apache
42 k req/s

Source: techplained.com · 4-core VPS · wrk2 client · p99 latency averaged over 3 runs. Numbers vary by hardware and tuning.

NGINX leads on static file serving and large-file streaming. Caddy, however, flips the advantage on small payloads, HTTP/3 traffic, and TLS termination speed — the workloads that define modern SaaS APIs and microservices gateways.

Memory tells a different story. On a 4-core VPS under 400 concurrent keep-alive connections, Apache 2.4 with the event MPM holds roughly 145 MB resident, NGINX 1.25 sits at just 18 MB, and Caddy 2.7 lands in the middle at 32 MB — leaner than Apache, heavier than NGINX.

“Caddy’s worst day is a 500 to one user. NGINX’s worst day, when a third-party module misbehaves, is a 502 cascade across the whole upstream pool.”

— ThePrimeagen, February 2026 stream

That observation maps to the CVE record. Since 2020, NGINX has shipped 47 CVEs versus Caddy’s four over the same window — a meaningful operational risk difference for security-conscious teams.

Automatic HTTPS: Caddy’s Single Most Disruptive Feature

If one capability explains Caddy’s momentum, it is its built-in ACME client. Caddy provisions a certificate from Let’s Encrypt or ZeroSSL on first request, renews it 60 days before expiry, enables OCSP stapling by default, and applies HTTP-to-HTTPS redirects with HSTS preloading — all from a single line in a Caddyfile:

Server Auto TLS Config complexity OCSP Stapling HTTP/3 (QUIC)
Caddy Built-in Minimal Default on Native
NGINX 3rd-party Moderate Manual QUIC branch
Apache 3rd-party Rich / complex Manual None stable

NGINX users must wire up a separate ACME client — Certbot, acme.sh, or lego — add a systemd timer or cron job for renewals, and handle the post-renewal nginx reload manually. Caddy eliminates every one of those steps. Cloudflare Radar’s August 2025 report attributed roughly 4% of all new ACME certificate issuance to Caddy clients, up from 1.8% in 2024, reflecting that shift in real traffic.

🔒
Developer experience win: Teams report that Caddy’s zero-touch HTTPS removes the most common 3 AM incident from their runbooks — an expired certificate that Certbot quietly failed to renew.

Configuration: Caddyfile vs nginx.conf vs httpd.conf

Caddy’s Caddyfile is designed to be human-readable first. A minimal reverse proxy with TLS looks like a handful of lines. Equivalent NGINX configuration requires a full server block, a separate upstream stanza, explicit ssl_certificate directives, and a cron job managing renewal. Apache adds VirtualHost wrappers and module-load declarations on top of that.

Apache’s .htaccess system remains the only mechanism that lets untrusted users modify server behaviour per-directory without touching the main config — an irreplaceable feature for shared hosting environments. NGINX has no equivalent. Neither does Caddy.

For DevOps teams working in infrastructure-as-code, all three servers support Terraform and Ansible, but Caddy’s JSON API lets configuration changes be applied live without a reload — an architectural advantage for dynamic, ephemeral container environments.

Market Share: Caddy Is Growing, But Still a Challenger

NGINX continues to dominate with approximately 38.6% of tracked websites in 2025, a position reinforced by deep integrations with Kubernetes ingress controllers, CDN edge stacks, and cloud load balancers. Apache still commands a substantial share, particularly in shared hosting and legacy PHP deployments. Caddy, while on roughly 133,000 tracked websites, remains a fraction of that installed base — but its trajectory in developer-oriented infrastructure is upward.

📊
Enterprise footprint: Netflix still uses a custom-tuned NGINX build to terminate roughly 350 Gbps per edge appliance on its Open Connect CDN. At that scale, NGINX’s raw performance ceiling and proven stability are non-negotiable.

Ecosystem and Extensibility

NGINX’s plugin and module ecosystem, built over two decades, remains unmatched. Hundreds of third-party modules cover everything from WAF rules to advanced load-balancing algorithms to commercial observability integrations (NGINX Plus). Apache’s module system, powered by mod_rewrite, mod_security, and mod_php, is even older and broader, making it the default choice for PHP-heavy stacks, legacy CMSes, and shared hosting providers.

Caddy extends through first-class Go plugins. While the library is smaller, it is growing fast and benefits from Go’s strict type system — a plugin bug is far less likely to cascade across the server process than a C module fault in NGINX. The result is that Caddy’s plugin surface is narrower but more predictable.

Which Server for Which Use Case?

Choose Caddy

New SaaS APIs, greenfield microservices, developer laptops, or any project where zero-touch HTTPS and minimal config matter more than peak raw throughput.

Choose NGINX

High-traffic static asset delivery, large-file streaming, CDN edge nodes, or Kubernetes ingress where memory efficiency and maximum throughput are the priority.

Choose Apache

Legacy PHP applications, shared hosting environments requiring .htaccess, or stacks where decades of module compatibility is non-negotiable.

// Verdict

Not a Throne Takeover — A Specialisation

Caddy will not replace NGINX at Netflix or Apache in a cPanel shared host any time soon. But for the majority of new production deployments — small-to-medium APIs, container-native stacks, and developer teams who want HTTPS to just work — Caddy has already won the practical argument. Its 22% throughput deficit against NGINX rarely matters in real workloads where the database, not the web server, is the bottleneck. Its security record is cleaner, its operational overhead is lower, and its HTTP/3 support is native. For most teams starting fresh in 2026, Caddy is the pragmatic default.