Is anybody still using Apache?
I'm really iterested on the whys (in addition to the obvious legacy reasons).
It's still a really nice web server. Easy to configure, incredibly reliable, twenty years of security fixes under its belt, endless docs/info available for it online. I've been meaning to learn nginx for a while, but with Apache working just fine, it doesn't feel very urgent.
Besides Apache and nginx, there aren't really any servers I'd trust for production use. Conceptually, I really like what Caddy is doing, but it's simply too young, not to mention the concerns that came up when Let's Encrypt had an outage back in May: https://github.com/mholt/caddy/issues/1680
The concerns about Caddy handling an ACME server outage are not really well founded these days, because:
1) Caddy has the most robust OCSP implementation of any web server. It caches staples locally and refreshes them halfway through the validity period so it can endure days-long OCSP responder outages.
2) Even if a certificate needs to be renewed while the ACME server is down, Caddy can endure 2-to-3-week-long outages of the ACME server because it renews 30 days out from expiration and tries twice per day until it succeeds, logging its actions along the way.
And because Caddy is written in Go, memory leaks like what Apache suffers are much less likely, if not impossible.
(Source: I implemented it.)
> 1)...
Two calls to OpenSSL and a few lines of shell script will fetch staples from LE whenever I want (ie more often than your defaults that have caused problems before) for HAProxy to serve. How's that for robust.
>2)...
great so you're as reliable as.. any other LE client that tries to renew before expiry, but without the ability to choose when to renew certs?
1) Caddy has never had OCSP outage problems. When LE's OCSP responders went down for a day a few months ago, Caddy was the ONLY server that kept sites online (unless nginx was explicitly configured for it; almost all Apache sites with it went down, including gnu.org).
2) Ours is the only LE client built directly into the web server, so "reliability" isn't really a comparable factor. By doing renewals automatically, Caddy's HTTPS implementation is more reliable and robust than doing it manually.
https://github.com/icing/mod_md
this is being folded into the official Apache httpd repo.