Merge #271: Evaluate Caddy for HTTPS Termination

5026ea9 docs: [#270] deploy caddy to production and update structure (Jose Celano)
299cccd docs: [#270] add caddy security scan and workflow update notes (Jose Celano)
e44754f docs: [#270] document tracker's built-in healthcheck (Jose Celano)
eb66f6c feat: [#270] add healthcheck to caddy container (Jose Celano)
cd0dfa7 docs: [#270] document caddy log warnings and their meaning (Jose Celano)
ab8b2e3 docs: [#270] document caddy configuration patterns (Jose Celano)
0a1f1e8 refactor: [#270] fix caddyfile formatting (Jose Celano)
b9e4aea docs: [#270] add caddy tls proxy evaluation results (Jose Celano)

Pull request description:

  ## Summary

  Evaluation of Caddy v2.10 as TLS termination proxy for Torrust Tracker deployments.

  **Status**: ✅ Evaluation Complete - Recommend Adoption

  Closes #270

  ## Key Results

  - ✅ **WebSocket support works perfectly** (Pingoo's critical failure point)
  - ✅ **Automatic Let's Encrypt certificates** (~3-4 seconds for 3 domains)
  - ✅ **Simple configuration** (21 lines vs nginx+certbot complexity)
  - ✅ **All HTTPS endpoints verified**:
    - Tracker API: `/api/health_check` → HTTP/2 200
    - HTTP Tracker: `/announce` and `/health_check` → HTTP/2 200
    - Grafana UI: redirect to login → HTTP/2 302
  - ✅ **Production-ready** with automatic certificate renewal
  - ✅ **Built-in HTTP/3 (QUIC)** support

  ## WebSocket Test (Critical)

  ```text
  URL: wss://grafana.torrust-tracker.com/api/live/ws
  Status: 101 Switching Protocols
  Result: ✅ Dashboard live updates working perfectly
  ```

  This was the critical failure point for Pingoo (#234).

  ## Documentation

  - **Experiment Report**: `docs/research/caddy-tls-proxy-evaluation/experiment-full-stack.md`
  - **Conclusion**: `docs/research/caddy-tls-proxy-evaluation/conclusion.md`
  - **Configuration Files**: `docs/research/caddy-tls-proxy-evaluation/experiment-files/` (secrets redacted)

  ## Recommendation

  **ADOPT CADDY** as the TLS termination proxy for Torrust Tracker deployments.

  **Rationale**:
  - Solves the critical WebSocket issue that blocked Pingoo
  - Dramatically simpler than nginx+certbot approach
  - Production-ready with automatic certificate management
  - Better protocol support (HTTP/3/QUIC built-in)
  - Lower operational overhead

  ## Next Steps

  1. Create ADR documenting Caddy adoption decision
  2. Update deployer templates with Caddy configuration
  3. Migrate production deployments to Caddy
  4. Document Caddy configuration in user guide

  ## Draft Status

  This PR is marked as draft to allow for additional improvements while colleagues review the evaluation results.

ACKs for top commit:
  josecelano:
    ACK 5026ea9

Tree-SHA512: 1d77b7b784df3a8137810ddaa8ea27194be556285e0e9e064e50a1a779cc632da6b9aa6b441deb4b9161a52e2f1dc9f39bd515818b9671ad0e33bb5918352480

Author: josecelano

.gitignore

@@ -67,6 +67,9 @@ data/
 # Generated environment config files for E2E tests
 envs/
 
+# Experimental deployments with live secrets
+experiments/
+
 # Meson build directory
 builddir/
 

docs/issues/270-evaluate-caddy-for-https-termination.md

@@ -518,6 +518,55 @@ docs/research/caddy-tls-proxy-evaluation/
 
 ---
 
+## Evaluation Results
+
+**Status**: ✅ **COMPLETE** (January 13, 2026)
+
+**Recommendation**: ✅ **ADOPT CADDY** as TLS termination proxy
+
+### Key Findings
+
+- ✅ **WebSocket support works perfectly** (Pingoo's critical failure point)
+- ✅ **Automatic Let's Encrypt certificates** (~3-4 seconds for 3 domains)
+- ✅ **Simple configuration** (21 lines vs nginx+certbot complexity)
+- ✅ **All HTTPS endpoints working**:
+  - Tracker API: `/api/health_check` → HTTP/2 200
+  - HTTP Tracker: `/announce` and `/health_check` → HTTP/2 200
+  - Grafana UI: redirect to login → HTTP/2 302
+- ✅ **Production-ready** with automatic certificate renewal
+- ✅ **Built-in HTTP/3 (QUIC)** support
+
+### WebSocket Test Results (Critical Success Criterion)
+
+```text
+URL: wss://grafana.torrust-tracker.com/api/live/ws
+Method: GET
+Status: 101 Switching Protocols
+Server: Caddy
+
+Response Headers:
+  Connection: Upgrade
+  Upgrade: websocket
+  Sec-WebSocket-Accept: RVq4NYes7ZCMvnSWhc+pya0WUBk=
+
+Result: ✅ Dashboard live updates working perfectly
+```
+
+### Documentation
+
+- **Experiment Report**: [`docs/research/caddy-tls-proxy-evaluation/experiment-full-stack.md`](../research/caddy-tls-proxy-evaluation/experiment-full-stack.md)
+- **Evaluation Conclusion**: [`docs/research/caddy-tls-proxy-evaluation/conclusion.md`](../research/caddy-tls-proxy-evaluation/conclusion.md)
+
+### Next Steps
+
+1. Create ADR documenting Caddy adoption decision
+2. Update deployer Tera templates with Caddy configuration
+3. Add Caddy to project template (docker-compose.yml, Caddyfile)
+4. Document Caddy configuration in user guide
+5. Migrate production deployments to Caddy
+
+---
+
 **Created**: 2026-01-13
 **Last Updated**: 2026-01-13
-**Status**: Planning
+**Status**: ✅ Complete - Recommend Adoption

docs/research/caddy-tls-proxy-evaluation/README.md

@@ -0,0 +1,56 @@
+# Caddy TLS Proxy Evaluation
+
+**Issue**: [#270](https://github.com/torrust/torrust-tracker-deployer/issues/270)  
+**Date**: January 13, 2026  
+**Status**: ✅ **COMPLETE - RECOMMEND ADOPTION**
+
+## Overview
+
+This evaluation tested Caddy v2.10 as a TLS termination proxy for the Torrust Tracker stack. The primary success criterion was WebSocket support, which was the critical failure point for Pingoo (issue #234).
+
+**Result**: ✅ Caddy successfully passes all tests, including WebSocket support.
+
+## Documentation
+
+- **[Experiment Report](./experiment-full-stack.md)** - Complete deployment procedure, test results, and technical details
+- **[Security Scan](./security-scan.md)** - Docker security scan results for `caddy:2.10`
+- **[Production Deployment](./production-deployment.md)** - Production configuration at `/opt/torrust/` (reference for Tera templates)
+- **[Conclusion](./conclusion.md)** - Evaluation summary, comparison with alternatives, and recommendation
+- **[Configuration Files](./experiment-files/)** - All configuration files used in the experiment (secrets redacted)
+
+## Quick Summary
+
+### ✅ Successes
+
+1. **WebSocket Support** - Works perfectly (Pingoo failed this)
+2. **Automatic HTTPS** - Let's Encrypt certificates in ~3-4 seconds
+3. **Simple Configuration** - 21 lines (Caddyfile) vs complex nginx+certbot
+4. **All Endpoints Working** - Tracker API, HTTP Tracker, Grafana
+5. **Built-in HTTP/3** - QUIC support out of the box
+6. **Automatic Renewal** - Zero operational overhead
+
+### WebSocket Test (Critical)
+
+```text
+URL: wss://grafana.torrust-tracker.com/api/live/ws
+Status: 101 Switching Protocols
+Result: ✅ Dashboard live updates working perfectly
+```
+
+### Recommendation
+
+**✅ ADOPT CADDY** as the TLS termination proxy for Torrust Tracker deployments.
+
+## Next Steps
+
+1. Create ADR documenting adoption decision
+2. Update deployer templates with Caddy configuration
+3. Document in user guide
+4. Migrate production deployments
+
+## References
+
+- [Caddy Official Website](https://caddyserver.com/)
+- [Caddy Documentation](https://caddyserver.com/docs/)
+- [Issue #270](https://github.com/torrust/torrust-tracker-deployer/issues/270)
+- [Pingoo Evaluation](../pingoo-tls-proxy-evaluation/) (not adopted)