HTTP Redirect is built on Caddy, an open-source web server written in Go. Caddy handles TLS certificate issuance and renewal automatically, serves the redirect handler, and hosts this documentation site. The custom binary powering this service is compiled with xcaddy, extending Caddy with the modules listed below.
caddy-redir-dns
github.com/pberkel/caddy-redir-dns
The core module behind this service. It implements a Caddy HTTP handler that reads a _redirect.{host} DNS TXT record
for each incoming request and responds with the configured HTTP redirect — no database, no config files, no restarts required.
Redirect targets support dynamic placeholders drawn from the incoming request, and the module maintains an in-memory DNS cache to
minimise lookup latency. A per-client rate limiter prevents abuse by capping the number of distinct hostnames any single IP address
can trigger DNS lookups for within a sliding time window.
caddy-tls-permission-policy
github.com/pberkel/caddy-tls-permission-policy
An on-demand TLS permission module that controls which hostnames Caddy is permitted to obtain certificates for. It supports allow and deny rules based on regular expressions or subdomain labels, a maximum subdomain depth limit, and a DNS resolution check that verifies the requesting hostname resolves to this server before a certificate is issued. This prevents certificate issuance for domains that are not legitimately pointed at this service.
caddy-tls-issuer-opportunistic
github.com/pberkel/caddy-tls-issuer-opportunistic
A TLS issuer that selects the certificate issuance method automatically based on whether the domain has DNS-01 challenge
delegation configured. When a _acme-challenge CNAME pointing to this service's authoritative DNS zone is detected,
the module issues a wildcard certificate via DNS-01 challenge. Domains without delegation fall back to a standard HTTP-01 issuer
and receive a single-hostname certificate instead. This allows wildcard and per-hostname certificates to coexist transparently
across the full range of domains that use this service.
caddy-tls-issuer-rate-limit
github.com/pberkel/caddy-tls-issuer-rate-limit
A TLS issuer wrapper that enforces configurable certificate issuance rate limits at issuance time, after any subject transformation has occurred. This ensures that limits are counted against actual certificates issued — not raw hostnames — so multiple domains mapping to the same wildcard certificate consume only a single slot. Renewals bypass all rate limit checks and are never blocked. The module is designed to keep issuances within the rate limits published by certificate authorities such as Let's Encrypt.