Running Caddy as a service on macOS X server

Installing CaddyCaddy logo

Download Caddy from the official website.

Give the executable root permissions1:

$ chown root ./caddy
$ chmod +s ./caddy


Caddy reads it configuration for the Caddyfile. More information can be found in the official documentation.

Launchd config

Create a launchd plist file: ~/Library/LaunchAgents/com.caddyserver.web.plist. This file should look like this:

<?xml version=”1.0" encoding=”UTF-8"?>
<!DOCTYPE plist PUBLIC “-//Apple Computer//DTD PLIST 1.0//EN” “">
<plist version=”1.0">
            <string>launchctl unload -w /Applications/; ulimit -n 8192; cd /Users/mathias/Sites; ./caddy -agree -email -conf=/Users/mathias/Sites/Caddyfile</string>

The launchd script will stop the built-in Apache server on macOS X, set the ulimit and execute Caddy. The Caddy command line arguments are quite trivial:

  1. -agree: agree to the CA’s (Let’s Encrypt) Subscriber Agreement.
  2. -email: your email address used for the certificates authority.
  3. -conf: full path to your Caddyfile.

The launchd file will make sure that Caddy is started at boot and kept alive.

Start and Stop Caddy launchd service using the following commands:

$ launchctl load ~/Library/LaunchAgents/com.caddyserver.web.plist
$ launchctl unload ~/Library/LaunchAgents/com.caddyserver.web.plist

  1. Yes, I know, it’s not good practice to run a service as root. But there is no other decent way on OS X. setcap doesn’t exist on macOS. Since Caddy won’t be touching any files, and Caddy doesn’t execute shell script, there is not a lot that can go wrong in this case. If you feel uncomfortable running Caddy as root, you could use portforwarding in your firewall and listen on a port >= 1024, for which you won’t need root privileges. This can be done using this command:
    echo "
    rdr pass inet proto tcp from any to any port 80 -> port 8080
    " | sudo pfctl -ef -