Recent releases for caddy

caddy v0.9.3

2016-09-28T19:00:53+00:00

This release contains bug fixes, including patches and more tests for bugs introduced in 0.9.2. If you use `proxy` for load balancing in failure scenarios, pay attention to a few changes. We've made improvements that will help debug and eliminate sporadic, long-lasting 502 errors, but changed the way the failure logic works in order to do this. Summarized change list: - Updated QUIC to newer version - import: Glob pattern matching 0 files is no longer an error - fastcgi: Fixed persistent connections (disabled by default) - fastcgi: Configurable connection pool size parameter - proxy: Improved failover load balancing logic - proxy: Avoids duplicating header fields that would be confusing - proxy: New try_duration and try_interval parameters - proxy: Fix for IP hash policy when downed hosts come back up - Several other bug fixes and new tests Changes specific to proxy (see PR #1135): - `fail_timeout` now defaults to 0. This means that requests which fail will not count against that host's availability. With a value > 0, request failure counting is enabled, and proxy will remember a failed request for this long. If the number of remembered failures accumulates to `max_fails`, the backend will be considered down (for _everyone_) until the failed requests begin to be forgotten. - `max_fails` defaults to 1 as before, but cannot be set to 0. If your network is flaky (almost all are), try a more reasonable value like 5. Remember, once the number of failed requests to a backend reaches this number within the window of `fail_timeout`, the host will be considered down for _all clients_ until the window shifts ahead. - `try_duration` is a new parameter that specifies how long proxy will check for available hosts. So if a host becomes available within this duration, the request may still succeed. The default is 0, meaning that proxy will not retry when a host initially goes down or no hosts are available. You must set this to a reasonable value > 0 (e.g. `30s`) if you want robust redundancy. - `try_interval` specifies how long to wait between attempts to reach an upstream host. This defaults to 250ms. The idea is to avoid spinning the CPU, so if you set this to 0 along with a non-zero fail_timeout, your CPU may spin until hosts become available again. Basically: If you want to have proper, redundant load balancing, you **must** set `fail_timeout` and `try_duration` to durations > 0. We may continue to tweak this logic in the future to get the best defaults for as many users as possible. Thank you to all who contributed for this release!

caddy v0.9.4

2016-12-21T21:28:28+00:00

Just in time for Christmas, the long-awaited patches in 0.9.4 are finally here! This release spans 83 commits, mostly of minor changes and improvements, but also some nice bug fixes and a few new features. See [the blog post](https://caddyserver.com/blog/caddy-0_9_4-released) for more information and highlights. Full change list: - Updated QUIC - New maxrequestbody directive to limit size of request body - New {latency_ms} placeholder for latency always in ms - Serve statically compressed .gz and .br files - fastcgi: Support for multiple backends with basic load balancing - fastcgi: Customize connect, read, and send timeouts. - proxy: Fixed handling of encoded 'without' paths - proxy: Preserve trailing slash if present in request - proxy: Fix HTTP/2 upstreams - templates: New .Files action to list files in a directory - templates: .Include can now pass arguments to included file - tls: Added ability to customize preferred curves - tls: Added support for Must-Staple on managed certificates - tls: Fixed subtle edge case bug with TLS-SNI challenge - Lots of minor fixes and improvements

caddy v0.9.5

2017-01-24T15:34:21+00:00

Caddy 0.9.5 contains several critical fixes and we recommend applying the update right away. **Please read these notes first, though!** Thank you to the collaborators and contributors for all your hard work (especially @tw4452852 and @lhecker - among many others, see the commit history) while I've been busy working on the new website and build infrastructure! ## [HTTP Timeouts](https://blog.cloudflare.com/exposing-go-on-the-internet/) Enabled by Default Caddy aims to be secure right out of the box. In order to prevent faulty or malicious clients from seeping resources away with [slowloris](https://blog.qualys.com/tag/slow-http-attack) behavior, Caddy now enables timeouts by default. In general, this will not affect most users. However, you may need to [raise or disable these timeouts](https://caddyserver.com/docs/timeouts) depending on your legitimate visitors' needs and your server's configuration. If your visitors have legitimately slow networks or you need to hold requests for a long time (e.g. long polling or proxying long requests to a trusted backend), consider raising these timeouts. Default timeout values: - **read:** 10s (time spent reading request headers and body) - **header:** 10s (time spent reading just headers; not used until Go 1.8 is released) - **write:** 20s (starts at reading request body, ends when finished writing response body) - **idle:** 2m (time to hold connection between requests; not used until Go 1.8 is released) As you can see, a couple of the timeout values will begin functioning when Caddy is built on Go 1.8, expected within about a month. Go ahead and set them now; they will just start working when supported. See the timeouts [pull request](https://github.com/mholt/caddy/pull/1368) and [docs](https://caddyserver.com/docs/timeouts). ## Critical Uptime/Connectivity Fix This is a little embarrassing, but if conditions were just right, Caddy would initiate a certificate renewal using the TLS-SNI-01 challenge, which would cause a deadlock. Subsequent TLS handshakes would block forever until the server stopped responding to requests. It took months to find and fix this because it only happened when very specific conditions are met: certificate needs renewal (once every 60 days), TLS-SNI-01 challenge is chosen (by roll of dice), renewal is trigged from background maintenance goroutine (not on-demand or during startup), and Let's Encrypt did not have a cached authz for that domain. [Now it's fixed.](https://github.com/mholt/caddy/commit/0e34c7c97025e1d3570de291b603aed334377dd5) A _huge_ thanks to Bradley Falzon (@bradleyfalzon), Miek Gieben (@miekg), and Sebestian Erhart (@xenolf) for spending considerable time to help me debug this. It wasn't possible without their hours of help. ## Proxy performance improvements We continue to iterate on Caddy's `proxy` functionality. Caddy was never designed to be a reverse proxy except as a very simple one, just to say that it can do it. But it turns out that `proxy` is one of the most popular directives. So with this release, [we've improved](https://github.com/mholt/caddy/pull/1314) on a recent regression that buffered request bodies. Proxy configurations with a single upstream or with try_duration unset (0) will be much faster and use less memory. We're still improving upon failure conditions and retry behavior; we had a rich discussion in #1314 about it. You should also see better HTTPS+websockets support. Also, the deprecated `proxy_header` subdirective is no longer accepted; use `header_upstream` instead. ## Minor security fixes in browse The `browse` middleware was improved a bit. First, a filter textbox was added to instantly filter the listings by file name. We also now sanitize the file names and links in case, for some reason, you are not already doing that with untrusted files. I want to thank Kevin Froman (@beardog108) for the responsible reporting of this as a precaution. I also went ahead and made sure the browse directive will hide the active Caddyfile if it is within your site's root, no matter the current working directory. ## Other things There's a new `-validate` flag to load and parse your Caddyfile, then terminate. It will tell you if the Caddyfile is syntactically valid or not. There's also new placeholders: `{when_iso}` gives you the UTC timestamp in ISO 8601 format, and `{rewrite_path}` gives you the URI path after a rewrite (`{path}` gives the path as it originally was on the request before any rewrites). Full change list: - New -validate flag to only check a Caddyfile, then exit - New {when_iso} placeholder for timestamp ISO 8601 in UTC - New {rewrite_path} and {rewrite_path_escaped} placeholders - New 'timeouts' directive to configure or disable HTTP timeouts - HTTP-level timeouts enabled by default - browse: Added textbox to filter listing in default template - browse: Sanitize file names and links in default template - browse: Ensure active Caddyfile is hidden regardless of cwd - fastcgi: New 'root' property, mainly for use with containers - markdown: Apply some front matter fields as tags - proxy: Fixed HTTP/2 upstream to backend; honors -http CLI flag - proxy: Fixed websockets over HTTPS - proxy: Reduced memory usage and improved performance - proxy: Added support for HTTP trailers - tls: Fixed deadlock that affected some background renewals - Several other smaller bugs squashed and improvements made Thanks for continuing to use Caddy!

caddy v0.10.0

2017-04-20T17:50:22+00:00

We're very excited to bring you Caddy 0.10! There are a bunch of changes in this release. Many of them small enhancements or bug fixes, but we also have some significant new features: HTTP/2 server push, new plugin types, updates to the TLS stack and directive, etc. [Read the blog post.](https://caddyserver.com/blog/caddy-0_10-released) **Default timeouts have been _disabled_ in this release.** You won't need `timeouts none` any more in your Caddyfile. Take note, too, that a few directives have changed syntax slightly. You can use `caddy -validate` to check your syntax before reloading Caddy. _Note: This is the first release produced by our automated deployment system. Some release assets failed to upload due to network errors. We've fixed this by putting the upload logic into a loop to try again if it fails._ Full change list: - Built on Go 1.8.1 - HTTPS interception detection - Updated QUIC - SIGUSR1 (reload) now works with QUIC servers - New 'push' directive for HTTP/2 server push - New 'index' directive to change the names of index files - New -http-port and -https-port flags to change protocol ports - New -disable-http-challenge and -disable-tls-sni-challenge flags - New event hook plugin type - New listener middleware plugin type - New placeholders for cookie, query, and rewritten URI values - basicauth: Ability to customize realm - browse: Default template now sorts by name with directories first - errors, log: Roll all logs by default - errors, log: Ability to write to remote syslog - errors, log: Standardized, simplified directive syntax - log: Patched common log format by adding missing "-" - proxy: New 'max_conns' setting to limit connections to upstreams - proxy: New 'first' load balancing policy for first available host - proxy: Health checks respect Host and insecure_skip_verify settings - templates: New .RandomString action to add random padding to page - timeouts: Disabled default HTTP timeouts - tls: Settings now apply per-site rather than for entire listener - tls: New 'alpn' setting to disable either HTTP/2 or HTTP/1.1 on per-site basis - tls: Added curve X25519 - tls: Added ChaCha20-Poly1305 cipher suites - tls: Renamed muststaple to must_staple - tls: Setting max_certs obtains certs during handshakes for all hostnames - Dozens of miscellaneous bug fixes and improvements - New website - New build infrastructure - New deployment system

caddy v0.10.1

2017-05-02T06:47:10+00:00

Bug fix release. We've reduced memory usage in some areas and changed how internal rewrites work a bit. If you notice any new quirks about `rewrite` or similar, please open an issue with clear instructions to repeat the bug. Thanks! - Reduced memory usage for gzip, templates, and MITM detection - Fixed automatic HTTP->HTTPS redirects for sites with wildcard labels - proxy: Fix 'without' subdirective - A few other minor bug fixes and improvements

caddy v0.10.2

2017-05-02T23:10:11+00:00

This is a hot fix release for the `rewrite` directive. If you are already using 0.10.1 and do not use `rewrite` at all, you probably don't need to upgrade. But as usual, we encourage all users to stay up to date! Changes: - Hot fix for rule paths of "/" so that they match every request - fastcgi: Match request paths that don't start with "/" even if rule does

caddy v0.10.3

2017-05-19T14:42:31+00:00

Caddy 0.10.3 includes support for new plugins (`datadog` and `login`) as well as a few minor fixes or changes, with one notable change: the `maxrequestbody` directive has been changed to the [`limits`](https://caddyserver.com/docs/limits) directive. You will need to change that in your Caddyfile. Full change list: - Replace 'maxrequestbody' directive with 'limits' directive - proxy: Configurable port for health check - proxy: New load balance policy: uri_hash - templates: Renamed .Push context action to .AddLink - tls: Allow narrower certificate renewal window at startup (#1680) - tls: Prefer ChaCha20 if hardware does not have AES-NI - A few other bug fixes

caddy v0.10.4

2017-06-28T22:40:45+00:00

This release is our first with vendored dependencies. Together with an updated build command, these builds should be fully reproducible, byte-for-byte (without plugins). A huge thank-you to our sponsors for making this possible! We hope you enjoy this release! Change list: - Vendor all dependencies - Improve MITM detection, add experimental Tor browser support - New request_id directive to add request IDs to each request - New HTTP plugins supported: authz, grpc, gopkg, reauth, restic - browse: Refreshed default UI and added symlink indicators - errors, log: Added rotate_compress directive to compress rolled logs - markdown: Template files loaded at each request instead of just once - proxy: Allow multiple Server header fields on downstream response - proxy: Perform health checks by body substring - rewrite,redir: Added 'not_starts_with' and 'not_ends_with' operators - tls: New ca subdirective to specify CA endpoint per-site - Several bug fixes

caddy v0.10.5

2017-07-27T22:24:44+00:00

It's been kind of a crummy week for a lot of people, but here's some good news: Caddy 0.10.5 is out! This release fixes subtle issues that were present in proxying WebSockets or FastCGI connections. We've also improved MITM detection for iOS clients. There is a new header-based load balancing policy. On top of these changes, of note are these: - The `requestid` directive has been renamed to `request_id` to be more consistent with other directives and subdirectives. - There is a new default timeout in town: the `idle` timeout now has a default value of 5 minutes. Unlike the previous default timeouts, we don't expect this will negatively impact anyone. There is generally no good use for idle connections, and if you have a good use for them, you can disable this timeout in your Caddyfile. (We've tested this timeout on several kinds of sites for months and have had zero problems, only improvements in memory and FD usage.) - **This release is compatible with three new 3rd-party plugins!** The [`http.cache` plugin](https://caddyserver.com/docs/http.cache) acts as a caching layer of middleware, which can drastically improve performance of serving your site. [`http.nobots`](https://caddyserver.com/docs/http.nobots) attempts to dissuade bots from accessing your site. [`http.webdav`](https://caddyserver.com/docs/http.webdav) was extracted from the filemanager plugin and enables webdav serving. **As usual, a HUGE thanks to contributors who made this possible!** Most of these changes were implemented by contributors to the project, while the maintainers have been busy working on improved proxy middleware and other things (that hopefully we can reveal soon). Our community is fantastic, and we and all Caddy users appreciate you. Thank you! Full change log: - Renamed requestid directive to request_id - Set default idle timeout of 5 minutes - New 3rd-party plugin directives: cache, nobots, webdav - New Unix timestamp placeholder {when_unix} - Improved MITM detection on iOS clients - errors, log: Fix log rolling parsing - gzip: Convert any ETag header to weak etag - fastcgi: Reverted persistent connections (issue #1736) - proxy: Added header loaded balancing policy - proxy: Fix hang on chunked WebSockets (e.g. with HomeAssistant) - Several other bug fixes and minor internal improvements

caddy v0.10.6

2017-07-28T18:23:16+00:00

This is a hotfix for [0.10.5](https://github.com/mholt/caddy/releases/tag/v0.10.5)'s `fastcgi` directive which [invokes a runtime error](https://github.com/mholt/caddy/issues/1788) on 32-bit and ARM architectures, due to a known, documented bug in Go. We don't run tests on 32-bit or ARM (yet) which would have been the only way to catch this error in an automated fashion. Sorry about that. Enjoy this release! It's the best one yet.

caddy v0.10.7

2017-08-25T23:52:11+00:00

This release introduces 3 new HTTP plugins: awses, jekyll, and forwardproxy, and supports SIGUSR2 for graceful binary upgrades. Read [the release blog post](https://caddyserver.com/blog/caddy-0_10_7-released) for more information. A huge thanks to our sponsors for making continued development possible, and for keeping this release of Caddy free for everyone to use: [Minio](https://minio.io/), [Uptime Robot](https://uptimerobot.com/), and [Sourcegraph](https://about.sourcegraph.com/)! Change list: - Built with Go 1.9 - New 3rd-party plugin HTTP directives: jekyll, awses, forwardproxy - Different exit codes - Plan 9 support - Graceful binary upgrades with SIGUSR2 - internal: Support X-Accel-Redir without paths to protect - templates: Can execute templates loaded by other middleware - A few really good bug fixes

caddy v0.10.8

2017-09-08T17:21:26+00:00

This is mainly a security release, with a couple other bug fixes (see commit history for details on those). This release fixes issue #1859. Previously, Caddy would not compress/merge multiple consecutive forward slashes in the URL for comparisons, causing certain comparisons to fail falsely not because of technical correctness, but rather semantic correctness (i.e. it depends on what is using the path, but most often, file systems will annoyingly collapse multiple slashes). Now, Caddy's path matching behaves similar to NGINX's `location` block if [`merge_slashes`](http://nginx.org/en/docs/http/ngx_http_core_module.html#merge_slashes) is enabled. Caddy now merges slashes by default when comparing paths using Go's [`path.Clean()`](https://golang.org/pkg/path/#Clean), which also evaluates `..` in paths to ensure equivalence on a _semantic_ level. We recommend installing this update right away if you use middleware (including plugins) that rely on matching paths to protect resources. All the relevant, standard (built-in) directives should be remedied with this (including basicauth), but third-party plugins that do not use [`Path.Matches()`](https://godoc.org/github.com/mholt/caddy/caddyhttp/httpserver#Path.Matches) will have to ensure that they are properly sanitizing the path before doing a comparison. You can use [getcaddy.com](https://getcaddy.com) to automate updates, then send SIGUSR2 to gracefully upgrade the binary with no downtime.

caddy v0.10.9

2017-09-12T17:25:10+00:00

This release introduces our new EULA for binaries distributed through our website, as well as the Caddy-Sponsors header as a thank you to our sponsors for keeping Caddy free for personal use. We're very happy to have them on board, and invite others to [sponsor the project](https://caddyserver.com/sponsor) to give the gift of privacy to site owners and Web users everywhere. In this version we've also fixed a bug related to certificate renewals, where the renewed certificate wouldn't be loaded and used. The bug was introduced in v0.10.6, so **everyone using v0.10.6, v0.10.7, or v0.10.8 should upgrade.** This version also includes a fix for using `templates` + `proxy` together so that templates now sends the right status code in the response. One new feature: Caddy can now act as a QUIC reverse proxy by using `quic://` to specify a backend! This is experimental, but where you'd like, feel free to give it a try. - EULA bundled with official binaries - Caddy-Sponsors header to indicate personal-use license - proxy: Support for QUIC backends - templates: Write proper status code if proxied - tls: Fix bug related to cert renewals

caddy v0.10.10

2017-10-09T04:57:54+00:00

With this release, we also launch our updated pricing structure. [Read the blog post for details!](https://caddyserver.com/blog/caddy-0_10_10-and-pricing) Caddy 0.10.10 removes the Caddy-Sponsors header for all builds as well as featuring a number of incremental improvements and bug fixes. This version has one notable, possibly-breaking change, but it is for security reasons. The new default of the `CASE_SENSITIVE_PATH` environment variable (if not set) is now `false`, meaning that matching a base path (using `Path.Matches()`) to a directive will be a case-insensitive comparison by default. This helps avoid common misconfigurations with security-related directives like `basicauth` (and similar auth-related third-party plugins) which protect resources by a base path. As far as static files go, this mainly affects Windows and macOS that have case-insensitive file systems. (Thanks to @magikstm for bringing this common misconfiguration caused by non-obvious documentation to our attention.) Another notable change is that `startup` and `shutdown` have been deprecated in favor of `on`. You should use `on` soon as we will eventually remove `startup` and `shutdown` directives. All changes: - Built with Go 1.9.1 - Removed Caddy-Sponsors header - New 'on' directive that deprecates 'startup' and 'shutdown' - Changed CASE_SENSITIVE_PATH default to false - fastcgi: Support for SRV upstreams - redir: Rules with if statements are not checked for duplicates - Several minor bug fixes

caddy v0.10.11

2018-02-20T05:55:38+00:00

This release improves automatic HTTPS in cluster configurations, internal TLS asset management, adds service discovery support to reverse proxying, reusable snippets for the Caddyfile, and more! **Read the details in [the announcement blog post!](https://caddyserver.com/blog/caddy-0_10_11-released)** A few minor "breaking" changes include how signals are handled, conflicting TLS configurations are no longer allowed (an error is raised), and a TLS alert is raised if SNI is used but no certificate is available, rather than serving a default certificate. Special thanks to Ed for helping us patch a minor path-based open redirect possibility! Full change log: - Built with Go 1.10 - Reusable snippets for the Caddyfile - Updated QUIC - Auto-HTTPS certificates may be shared by multiple instances - Expand globbed values in -conf flag - Swap behavior of SIGTERM and SIGQUIT; ignore SIGHUP - 9 new DNS provider plugins for the ACME DNS challenge - New placeholder for {

caddy v0.10.12

2018-03-27T05:30:32+00:00

This release brings ACMEv2 and wildcard certificate support! **Read the [release announcement blog post](https://caddyserver.com/blog/caddy-0_10_12-released) for details.** There's some things in there you should know, including a description of how some really cool features work. Thanks to everyone who contributed to this release! Change list: - Switch to Let's Encrypt ACMEv2 production endpoint - Support for automated wildcard certificates - Support distributed solving of HTTP-01 challenge - New {labelN}, {tls_cipher}, and {tls_version} placeholders - Curly braces can now be escaped when not used as placeholders - New third-party plugin: geoip - Updated QUIC - fastcgi: Add SSL_CIPHER and SSL_PROTOCOL environment variables - log: New 'except' subdirective to exempt paths from logging - startup/shutdown: Removed in favor of 'on' - tls: Default minimum version is TLS 1.2 - tls: Revert to fallback cert if no cert matches SNI - tls: New 'wildcard' subdirective to force automated wildcard cert - Several significant bug fixes and improvements!

caddy v0.10.13

2018-04-18T23:17:01+00:00

Caddy 0.10.13 is a minor release that fixes security flaws in TLS client authentication and On-Demand TLS. It is recommended that everyone relying on these capabilities upgrade. This release also has bug fixes for the Caddyfile parser (caught by fuzzing) and handling errors when a certificate could not be obtained via ACME. **Do not use this version, it cannot obtain certificates due to a bug. Version 0.10.14 fixed this.** Change list: - New third-party plugin: supervisor - Updated QUIC - proxy: Fix transparent pass-thru of X-Forwarded-For - proxy: Configurable timeout to upstream - rewrite: Now supports regular expressions on single-line - tls: StrictHostMatching mode to prevent client auth bypass - tls: Disable client auth when using QUIC - tls: Require same client auth cert pools per hostname - tls: Prevent On-Demand TLS directory traversal - tls: Fix empty files when using ACME fails to obtain cert - Fixed test broken by 1.1.1.1 resolving - Improved Caddyfile parser robustness by fuzzing

caddy v0.10.14

2018-04-20T00:17:20+00:00

This is a hotfix release that addresses a regression in 0.10.13 related to obtaining and using ACME certificates. All users should upgrade to 0.10.14 within 30 days. Change list: - tls: Fix error handling bug when obtaining certificates

caddy v0.11.0

2018-05-10T15:51:01+00:00

This release has been about 6 months in the making! Featuring an integrated telemetry client, you can now view stats about your Caddy instance and contribute to Internet research. Telemetry is entirely optional. Read the [blog post](https://caddyserver.com/blog/caddy-0_11-released) and [telemetry docs](https://caddyserver.com/docs/telemetry) for more information, and check out our [global stats](https://caddyserver.com/stats)! You can also look up details about your own instances there. Full change list: - Built with Go 1.10.2 - Integrated optional telemetry client - proxy: Fixed file descriptor leak

caddy v0.11.1

2018-11-12T21:59:46+00:00

caddy v0.11.2

2019-01-16T23:10:58+00:00

Do not use this release: use [v0.11.3](https://github.com/mholt/caddy/releases/tag/v0.11.3) instead.

caddy v0.11.3

2019-02-05T20:21:17+00:00

This release has been superseded by v0.11.4 which fixes a regression in this one.

caddy v0.11.4

2019-02-15T19:05:40+00:00

This release adds features to specify trusted CA certificates in the proxy middleware, allows disabling log rotation, and fixes numerous bugs with the recent extraction of TLS logic into CertMagic, including self-signed certificates, IP-only certificates, and email address prompts related to creating an ACME CA account. Also added a new third-party plugin directive, extauth. Most notably, this version supports the ACME TLS-ALPN challenge by default, which replaces the TLS-SNI challenge. Caddy now supports clustering plugins, allowing it to share TLS assets in a fleet configuration and/or behind load balancers using CertMagic's storage implementations. This is a feature that is enterprise-only in competing software distributions, but is free in Caddy! This release in particular fixes a bug related to the storage paths of certificates. If you have any files in `~/.local/share/certmagic` that were not there before, consider moving them to `~/.caddy` (or whatever your $CADDYPATH is). v0.11.3 is also built on Go 1.11.5 which includes security fixes. It is recommended that all users upgrade to this version. Full change list for v0.11.2-v0.11.4:: 0.11.4 (February 15, 2019) - New -json-to-caddyfile and -caddyfile-to-json flags - Fix leaking logging goroutine on SIGUSR1 - basicauth: Error is logged when authentication fails - proxy: Fix bug by re-adding pre-existing trailing slashes - tls: Fix bug related to certificate storage path 0.11.3 (February 5, 2019) - New {server_port} placeholder - New third-party plugin: extauth - New flags -log-roll-mb and -log-roll-compress - basicauth: Bypass for OPTIONS method - errors/log: Ability to disable log rolling - proxy: New subdirective 'ca_certificates' - staticfiles: Require GET method to serve static files - tls: Fixes to self-signed certs, IP certs, email prompts, & more - SOLVED REGRESSIONS: #2356, #2414 - A number of other important fixes and improvements 0.11.2 (January 16, 2019) - Extracted automagic TLS code into CertMagic library - Add support for new clustering plugins - New placeholder: '{when_iso_local}' - New third-party plugins: s3browser, filebrowser - Removed third-party plugins: jekyll, hugo - bind: Support multiple interface values - import: Can now be used within directive blocks - proxy: Status 499 when clients close connection early - templates: No longer emit ETag and Last-Modified headers - tls: Support for the ACME TLS-ALPN-01 challenge - KNOWN/UNRESOLVED REGRESSIONS: #2356, #2414 - Several bug fixes and minor improvements

caddy v0.11.5

2019-03-04T19:49:51+00:00

Caddy 0.11.5 is built with Go 1.12 and brings TLS 1.3 to all worthy TLS connections by default. We've also re-allowed HEAD requests on static files and organized the startup output a little better. (If you need to enable TLS 1.0 or 1.1 -- please don't -- you now have to [specify TLS 1.0 or TLS 1.1 ciphers](https://caddyserver.com/docs/tls), as those ciphers have been removed from the default cipher suite listing.) Full change log: - TLS 1.3 - Built with Go 1.12 - More organized output at startup - internal: Paths are now hidden from other middlewares - staticfiles: Allow HEAD method - tls: TLS 1.3 default max version (1.2 still default min) - tls: Better handling of empty ACME email addresses - tls: Removed CBC ciphers from defaults - Other minor improvements and bug fixes

caddy v1.0.0-beta1

2019-04-09T19:28:13+00:00

During this beta period, the build server will be undergoing maintenance. If you encounter issues downloading, please use these GitHub releases to get Caddy builds (or build from source) in the meantime. Full change list: - Major internal changes (Go modules & remove vendor) - Rename -env flag to -envfile - New -env flag to print the environment - New 'dyndns' directive - proxy: Manipulate headers using regular expressions - A few bug fixes

caddy v1.0.0-beta2

2019-04-20T19:52:20+00:00

We continue to improve Caddy's compatibility with Go modules. Beta 2 improves Caddy's build process. Separate build scripts are no longer required, and Caddy can be built with a custom selection of plugins without any modifications to Caddy's source code. See the README/wiki for instructions. Please report any bugs you find, especially if there are regressions due to updates for compatibility (a significant refactoring of CertMagic was recently folded in). - Continue migration to Go modules - Eliminate need for special build script - Internal changes for better compatibility

caddy v1.0.0

2019-04-24T17:34:58+00:00

We did it! Caddy 1.0 is here. Future changes on the 1.0 tree will focus on stability and bug fixes. Go modules are required to build Caddy from source. Go 1.13 will use modules by default. Notably, binaries are no longer licensed with a separate EULA. Commercial use of our download page, however, still requires a subscription (all customers have been grandfathered in -- in effect, nothing is really different except we got rid of the annoying legal technicality). CHANGES: - Minor internal/linting improvements - EULA no longer applies - [Backwards compatibility goal](https://github.com/mholt/caddy/wiki/Compatibility-Guarantee)

caddy v1.0.1

2019-07-02T19:26:51+00:00

Caddy 1.0.1 introduces a number of fixes and improvements, and deprecates the `max_certs` subdirective of `tls` (using it still enables on-demand TLS but you should use `ask` for proper protection). KNOWN ISSUE: Building Caddy with plugins is difficult due to the repository move. Our build server has been patched to make it work, but plugin authors will need to update import paths. (Sorry! Unexpected.) I've done my best to file issues with all registered plugins.

caddy v1.0.2

2019-08-13T20:52:58+00:00

This release uses Go 1.12.8 to patch the HTTP/2 implementation against the [security vulnerabilities reported today](https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md). One minor [breaking change in Go 1.12.8](https://github.com/golang/go/commit/3226f2d492963d361af9dfc6714ef141ba606713) might affect some configurations that use service name in the port of their Caddyfiles, like so: `example.com:https` - we've smoothed this over so the behavior of Caddy is the same but if you encounter any odd inconsistencies, switch to using numeric ports or proper URL scheme: either `https://example.com` (recommended) or `example.com:443`.

caddy v1.0.3

2019-08-14T20:03:37+00:00

caddy v2.0.0-beta1

2019-09-13T19:03:56+00:00

The first beta/development release is here! v2.0.0-beta1 is functional enough to serve most sites and may be used in production _after you test it and find that it meets your needs_. Caddy 2 is not backwards-compatible with Caddy 1. Caddy 2 beta releases are not feature-complete or free of bugs, but we hope to release beta version regularly until the release candidates later this year. Beta releases may also have breaking changes, so please be aware of the changes as we continue developing Caddy 2. To learn how to get started, see the README on the v2 branch: https://github.com/caddyserver/caddy/tree/v2 This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Quick Start](https://github.com/caddyserver/caddy/tree/v2#quick-start) - [Full documentation](https://github.com/caddyserver/caddy/wiki/v2:-Documentation) - [Writing a v2 config from scratch](https://github.com/caddyserver/caddy/wiki/v2:-Config-from-Scratch) - [Caddyfile examples](https://github.com/caddyserver/caddy/wiki/v2:-Caddyfile-examples) - [Writing a Caddy 2 module](https://github.com/caddyserver/caddy/wiki/v2:-Writing-a-Module) - [Official Caddy 2 instructional videos](https://www.youtube.com/playlist?list=PLdnO1_NRAWW0HyPMBJ86teR1RUikQBOAY) (more in progress)

caddy v2.0.0-beta2

2019-09-20T19:26:45+00:00

Caddy 2.0 beta 2 is the next pre-release in the development cycle of Caddy 2. Notable changes: - You can now perform substring or regular expression replacements in headers - The reverse proxy allows header manipulation: add, set, remove, and substring/regexp replacements - Renamed `static_response` Caddyfile directive to `respond` - Updated certmagic, so (1) long-expired certificates are cleaned up from storage, and (2) Caddy will attempt to replace a revoked certificate with a new one automatically - Ability to configure storage with the Caddyfile - Several bug fixes and improvements **[See all commits since previous tag here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta1...v2.0.0-beta2)** Please remember that Caddy 2 beta releases are not yet feature-complete, as development is ongoing, nor are they stable; there are likely to be some breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find! Thank you to all of you who have reported bugs or requested features so far. We've made good progress. To learn how to get started, see the [README on the v2 branch](https://github.com/caddyserver/caddy/tree/v2). This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Quick Start](https://github.com/caddyserver/caddy/tree/v2#quick-start) - [Full documentation](https://github.com/caddyserver/caddy/wiki/v2:-Documentation) - [Writing a v2 config from scratch](https://github.com/caddyserver/caddy/wiki/v2:-Config-from-Scratch) - [Caddyfile examples](https://github.com/caddyserver/caddy/wiki/v2:-Caddyfile-examples) - [Writing a Caddy 2 module](https://github.com/caddyserver/caddy/wiki/v2:-Writing-a-Module) - [Official Caddy 2 instructional videos](https://www.youtube.com/playlist?list=PLdnO1_NRAWW0HyPMBJ86teR1RUikQBOAY) (more in progress)

caddy v2.0.0-beta3

2019-10-01T17:44:42+00:00

Caddy 2.0 beta 3 is the next pre-release in the development cycle of Caddy 2. Some highlights: - Added CLI help (run `caddy` or `caddy help ` to get help) - Added `validate` subcommand to validate configurations - Renamed `adapt-config` subcommand to `adapt` and renamed `--input` to `--config` and `--config-adapter` to `--adapter` and `--print-env` to `--environ` - Added `--validate` flag to `adapt` subcommand to validate adapted configs - CLI commands are now extensible from modules - Ability to customize trusted roots for ACME servers - Configurable renewal and OCSP check intervals for certificate management - New `email` and `acme_ca` global options for the Caddyfile - `not` matcher can now be used in the Caddyfile - Several bug fixes, especially with the Caddyfile **[See all commits since previous tag here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta2...v2.0.0-beta3)** Please remember that Caddy 2 beta releases are not yet feature-complete as development is ongoing, nor are they stable; there are likely to be some breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find! Thank you to all of you who have reported bugs or requested features so far. We've made good progress. To learn how to get started, see the [README on the v2 branch](https://github.com/caddyserver/caddy/tree/v2). This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Quick Start](https://github.com/caddyserver/caddy/tree/v2#quick-start) - [Full documentation](https://github.com/caddyserver/caddy/wiki/v2:-Documentation) - [Writing a v2 config from scratch](https://github.com/caddyserver/caddy/wiki/v2:-Config-from-Scratch) - [Caddyfile examples](https://github.com/caddyserver/caddy/wiki/v2:-Caddyfile-examples) - [Writing a Caddy 2 module](https://github.com/caddyserver/caddy/wiki/v2:-Writing-a-Module) - [Official Caddy 2 instructional videos](https://www.youtube.com/playlist?list=PLdnO1_NRAWW0HyPMBJ86teR1RUikQBOAY) (more in progress)

caddy v2.0.0-beta4

2019-10-07T17:07:39+00:00

Caddy 2.0 beta 4 is the next pre-release in the development cycle of Caddy 2. Some highlights: - Plugged in the JSON 5 and JSON-C config adapters - New `file-server` and `reverse-proxy` commands for convenience - `reverse_proxy` module: Make request retries configurable based on properties of the request - `adapt` subcommand: Default `--adapter` value is "caddyfile" - Several bug fixes **[See all commits since previous tag here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta3...v2.0.0-beta4)** Be advised that the next beta release may be delayed as we [transition a bunch of code to open source](https://github.com/caddyserver/caddy/issues/2786) and work on a new website. Please remember that Caddy 2 beta releases are not yet feature-complete as development is ongoing, nor are they stable; there are likely to be some breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find! Thank you to all of you who have reported bugs or requested features so far. We've made good progress. To learn how to get started, see the [README on the v2 branch](https://github.com/caddyserver/caddy/tree/v2). This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Quick Start](https://github.com/caddyserver/caddy/tree/v2#quick-start) - [Full documentation](https://github.com/caddyserver/caddy/wiki/v2:-Documentation) - [Writing a v2 config from scratch](https://github.com/caddyserver/caddy/wiki/v2:-Config-from-Scratch) - [Caddyfile examples](https://github.com/caddyserver/caddy/wiki/v2:-Caddyfile-examples) - [Writing a Caddy 2 module](https://github.com/caddyserver/caddy/wiki/v2:-Writing-a-Module) - [Official Caddy 2 instructional videos](https://www.youtube.com/playlist?list=PLdnO1_NRAWW0HyPMBJ86teR1RUikQBOAY) (more in progress)

caddy v2.0.0-beta6

2019-10-14T17:41:46+00:00

Caddy 2.0 beta 6 is the next pre-release in the development cycle of Caddy 2 and is the biggest update yet! Some highlights: - [Migrated all WIP and completed enterprise features to open source](https://github.com/caddyserver/caddy/issues/2786), including: - `/config` and `/id` API endpoints, which enable config traversal (selective updates) and exporting current configuration - WIP cache plugin for HTTP responses - pem_loader plugin, for specifying TLS certs and keys directly in config - distributed_stek plugin, for high-performance TLS session resumption in clusters - Custom TLS certificate selection policies - WIP Starlark handler (embedded scripting language) - New placeholders for RemoteAddr (client IP, etc.) - HTTP basic authentication plugin - reverse_proxy: Ability to customize ServerName value in TLS handshake to backends - reverse_proxy: Dynamic backends using placeholders (variables) in dial address - reverse_proxy: Minor optimization of MaxIdleConnsPerHost default value **[See all commits since beta 4 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta4...v2.0.0-beta6)** (We tagged beta 5 mid-cycle as a test, but made a mistake with a dependency so we're ignoring that tag.) Be advised that the next beta release may be delayed as we [transition a bunch of code to open source](https://github.com/caddyserver/caddy/issues/2786) and work on a new website and official images/packages. Please remember that Caddy 2 beta releases are not yet feature-complete as development is ongoing, nor are they stable; there are likely to be some breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find! Thank you to all of you who have reported bugs or requested features so far. We've made good progress. To learn how to get started, see the [README on the v2 branch](https://github.com/caddyserver/caddy/tree/v2). This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Quick Start](https://github.com/caddyserver/caddy/tree/v2#quick-start) - [Full documentation](https://github.com/caddyserver/caddy/wiki/v2:-Documentation) - [Writing a v2 config from scratch](https://github.com/caddyserver/caddy/wiki/v2:-Config-from-Scratch) - [Caddyfile examples](https://github.com/caddyserver/caddy/wiki/v2:-Caddyfile-examples) - [Writing a Caddy 2 module](https://github.com/caddyserver/caddy/wiki/v2:-Writing-a-Module)

caddy v2.0.0-beta7

2019-10-28T21:21:20+00:00

Caddy 2.0 beta 7 is the next pre-release in the development cycle of Caddy 2 and is the best update yet! Some highlights: - Logging! Caddy 2 has an exceptionally powerful, flexible, and high-performing log. [Read the docs about logging.](https://github.com/caddyserver/caddy/wiki/v2:-Documentation#logging) - Rewrite handler can now quickly strip path prefix or suffix conveniently, and issue HTTP redirects - Significant improvements to TLS certificate management, especially at large scale. Give Caddy 2 a million domains and it will gradually obtain certificates for them with built-in rate limiting and retries over the course of days or weeks. - CI improvements, including continuous fuzzing. - HTTP cache can be configured to work in a group/cluster setting. - Several bug fixes. **[See all commits since beta 6 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta6...v2.0.0-beta7)** Please remember that Caddy 2 beta releases are not yet feature-complete as development is ongoing, nor are they stable; there are likely to be some breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find! Thank you to all of you who have reported bugs or requested features so far. We continue to make good progress. To learn how to get started, see the [README on the v2 branch](https://github.com/caddyserver/caddy/tree/v2). This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Quick Start](https://github.com/caddyserver/caddy/tree/v2#quick-start) - [Full documentation](https://github.com/caddyserver/caddy/wiki/v2:-Documentation) - [Writing a v2 config from scratch](https://github.com/caddyserver/caddy/wiki/v2:-Config-from-Scratch) - [Caddyfile examples](https://github.com/caddyserver/caddy/wiki/v2:-Caddyfile-examples) - [Writing a Caddy 2 module](https://github.com/caddyserver/caddy/wiki/v2:-Writing-a-Module)

caddy v2.0.0-beta8

2019-10-29T18:11:23+00:00

Caddy 2.0 beta 8 is the next pre-release in the development cycle of Caddy 2 and is the best update yet! Some highlights: - Logging! Caddy 2 has an exceptionally powerful, flexible, and high-performing log. [Read the docs about logging.](https://github.com/caddyserver/caddy/wiki/v2:-Documentation#logging) - Rewrite handler can now quickly strip path prefix or suffix conveniently, and issue HTTP redirects - Significant improvements to TLS certificate management, especially at large scale. Give Caddy 2 a million domains and it will gradually obtain certificates for them with built-in rate limiting and retries over the course of days or weeks. - CI improvements, including continuous fuzzing. - HTTP cache can be configured to work in a group/cluster setting. - Several bug fixes, including a hotfix for silly bug in beta 7 (d'oh! 🤦‍♂️) **[See all commits since beta 6 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta6...v2.0.0-beta8)** Please remember that Caddy 2 beta releases are not yet feature-complete as development is ongoing, nor are they stable; there are likely to be some breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find! Thank you to all of you who have reported bugs or requested features so far. We continue to make good progress. To learn how to get started, see the [README on the v2 branch](https://github.com/caddyserver/caddy/tree/v2). This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Quick Start](https://github.com/caddyserver/caddy/tree/v2#quick-start) - [Full documentation](https://github.com/caddyserver/caddy/wiki/v2:-Documentation) - [Writing a v2 config from scratch](https://github.com/caddyserver/caddy/wiki/v2:-Config-from-Scratch) - [Caddyfile examples](https://github.com/caddyserver/caddy/wiki/v2:-Caddyfile-examples) - [Writing a Caddy 2 module](https://github.com/caddyserver/caddy/wiki/v2:-Writing-a-Module)

caddy v2.0.0-beta9

2019-11-04T20:55:15+00:00

Caddy 2.0 beta 9 is the next pre-release in the development cycle of Caddy 2 and is the best update yet! Some highlights: - Significant bug fixes, especially related to HTTP requests. (Got rid of those panics! Oops) - Refactored the admin (API) endpoint code significantly, making many internal improvements and fixing several bugs. - Added optional origin enforcement features to the API for added security. - Improved config reload performance significantly. - Fixed some bugs related to the Caddyfile. **[See all commits since beta 8 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta8...v2.0.0-beta9)** Please remember that Caddy 2 beta releases are not yet feature-complete as development is ongoing, nor are they stable; there are likely to be some breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find! Thank you to all of you who have reported bugs or requested features so far. We continue to make good progress. To learn how to get started, see the [README on the v2 branch](https://github.com/caddyserver/caddy/tree/v2). 💚 **Please consider [sponsoring](https://github.com/sponsors/mholt) this project!** This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Quick Start](https://github.com/caddyserver/caddy/tree/v2#quick-start) - [Full documentation](https://github.com/caddyserver/caddy/wiki/v2:-Documentation) - [Writing a v2 config from scratch](https://github.com/caddyserver/caddy/wiki/v2:-Config-from-Scratch) - [Caddyfile examples](https://github.com/caddyserver/caddy/wiki/v2:-Caddyfile-examples) - [Writing a Caddy 2 module](https://github.com/caddyserver/caddy/wiki/v2:-Writing-a-Module)

caddy v1.0.4

2019-11-15T21:30:35+00:00

This patch release fixes a bug in the `fastcgi` middleware that could result in the static file server returning PHP files as plain text on Windows systems. Thank you to @MisterDuval for the report and suggested fix. Dependencies lego, certmagic, and quic-go have also been updated to their latest versions.

caddy v2.0.0-beta10

2019-11-18T21:33:56+00:00

Caddy 2.0 beta 10 is the next pre-release in the development cycle of Caddy 2 and is the best update yet! Some highlights: - NTLM proxying - Log level and filenames support placeholders - Access logs include response headers - Improved `caddy stop`, `caddy file-server`, and `caddy reverse-proxy` commands - Numerous other bug fixes and minor enhancements **[See all commits since beta 9 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta9...v2.0.0-beta10)** 💚 **Please consider [sponsoring](https://github.com/sponsors/mholt) this project!** Please remember that Caddy 2 beta releases are not yet feature-complete as development is ongoing, nor are they stable; there are likely to be some breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find! Thank you to all of you who have reported bugs or requested features so far. We continue to make good progress. To learn how to get started, see the [README on the v2 branch](https://github.com/caddyserver/caddy/tree/v2). This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Quick Start](https://github.com/caddyserver/caddy/tree/v2#quick-start) - [Full documentation](https://github.com/caddyserver/caddy/wiki/v2:-Documentation) - [Writing a v2 config from scratch](https://github.com/caddyserver/caddy/wiki/v2:-Config-from-Scratch) - [Caddyfile examples](https://github.com/caddyserver/caddy/wiki/v2:-Caddyfile-examples) - [Writing a Caddy 2 module](https://github.com/caddyserver/caddy/wiki/v2:-Writing-a-Module)

caddy v2.0.0-beta11

2019-12-23T20:57:52+00:00

Caddy 2.0 beta 11 is the next pre-release in the development cycle of Caddy 2 and is the best update yet! We recommend that everyone on the beta track upgrade. Some highlights: - Support for automatic config documentation (new docs site should be ready soon!) - Multiple fixes for `@id` usage in the admin API - Enhancements to rewrite handler and request matchers - Log can now output to arbitrary network sockets - Improved TLS cert management at scale - Improved templates handler; better markdown and "include" support - Several other significant bug fixes **[See all commits since beta 10 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta10...v2.0.0-beta11)** 💚 **Please consider [sponsoring](https://github.com/sponsors/mholt) this project!** Please remember that Caddy 2 beta releases are not yet feature-complete as development is ongoing, nor are they stable; there are likely to be some breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find! Thank you to all of you who have reported bugs or requested features so far. We continue to make good progress. To learn how to get started, see the [README on the v2 branch](https://github.com/caddyserver/caddy/tree/v2). This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Quick Start](https://github.com/caddyserver/caddy/tree/v2#quick-start) - [Full documentation](https://github.com/caddyserver/caddy/wiki/v2:-Documentation) - [Writing a v2 config from scratch](https://github.com/caddyserver/caddy/wiki/v2:-Config-from-Scratch) - [Caddyfile examples](https://github.com/caddyserver/caddy/wiki/v2:-Caddyfile-examples) - [Writing a Caddy 2 module](https://github.com/caddyserver/caddy/wiki/v2:-Writing-a-Module)

caddy v2.0.0-beta12

2020-01-01T07:19:58+00:00

Caddy 2.0 beta 12 is the next pre-release in the development cycle of Caddy 2 and is the best update yet! We recommend that everyone on the beta track upgrade. Some highlights: - Caddy now saves all config changes from the API so it can resume the last active config with the `--resume` flag - Majorly improved documentation, and launched new docs site: ✨ https://caddyserver.com/docs/ ✨ - Changed data directory; migration is automatic (see #2955) - Servers listening only on the HTTPS port will enable TLS automatically - Several minor bug fixes **[See all commits since beta 11 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta11...v2.0.0-beta12)** 💚 **Please consider [sponsoring](https://github.com/sponsors/mholt) this project!** Please remember that Caddy 2 beta releases are not yet feature-complete as development is ongoing, nor are they stable; there are likely to be some breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find! Thank you to all of you who have reported bugs or requested features so far. We continue to make good progress. This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - :new: [Getting Started](https://caddyserver.com/docs/getting-started) - :new: [Full documentation](https://caddyserver.com/docs/) - :new: [Writing a Caddy 2 module](https://caddyserver.com/docs/extending-caddy) - [Caddyfile examples](https://github.com/caddyserver/caddy/wiki/v2:-Caddyfile-examples)

caddy v2.0.0-beta.13

2020-01-22T17:43:13+00:00

Caddy 2.0 beta 13 is the next pre-release in the development cycle of Caddy 2 and is the best one yet! We recommend that everyone on the beta track upgrade. We spent a LOT of time and effort improving the v2 Caddyfile for this release! It's not 100% finished yet but it is much closer. We've also updated the website with [a lot of new documentation and tutorials](https://caddyserver.com/docs/). Check it out! ⚠️ **This release contains some very helpful breaking changes.** ⚠️ [Click here for details about the significant changes in beta 13.](https://github.com/caddyserver/caddy/issues/2981) Some highlights (breaking changes indicated by ⚠️): - ⚠️ Path matching is now exact by default, not prefix - ⚠️ The `rewrite` Caddyfile directive is mutually exclusive with other `rewrite` directives - ⚠️ Caddyfile matcher syntax has changed from `matcher` and `match:` to simply `@` - ⚠️ Environment variables in the Caddyfile can be substituted at either adapt-time or runtime - ⚠️ HTTP route matchers are evaluated sequentially instead of all at once - ⚠️ New `order` Caddyfile option replaces `handler_order` - ⚠️ `redir` Caddyfile directive now comes before `rewrite` directive - ⚠️ `The `headers` Caddyfile directive was renamed to `header` - New `route` Caddyfile directive evaluates directives in appearance order - New `handle` Caddyfile directive enables more sophisticated route composition - Caddyfile adapter will sort multiple instances of a directive by descending specificity of path matcher - The `caddy` command now assumes the `caddyfile` adapter if config filename starts with `Caddyfile` - The `caddy reload` command no longer requires `--config` flag for default Caddyfiles - Reverse proxy's buffering can be disabled with a flush interval of -1 - Fix reverse proxy circuit breaker's `type` parameter - Fix `http.handlers.rewrite` module's manipulation of URI and construction of query strings - Fix `try_files` directive when used with query strings - Many other significant improvements and fixes to the Caddyfile - Numerous other bug fixes and minor enhancements all around - **More details of the big changes in issue #2981** **[See all commits since beta 12 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta12...v2.0.0-beta.13)** 💚 **Please consider [sponsoring](https://github.com/sponsors/mholt) this project. I work on this full-time and our runway is extremely limited!** Please remember that Caddy 2 beta releases are not yet feature-complete as development is ongoing, nor are they stable; there are likely to be some breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find! Thank you to all of you who have reported bugs or requested features so far. We continue to make good progress. This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - :new: [Getting Started](https://caddyserver.com/docs/getting-started) - :new: [Full documentation](https://caddyserver.com/docs/) - :new: [Writing a Caddy 2 module](https://caddyserver.com/docs/extending-caddy)

caddy v2.0.0-beta.14

2020-02-11T22:29:38+00:00

Caddy 2.0 beta 14 is the next pre-release in the development cycle of Caddy 2 and is the best one yet! We recommend that everyone on the beta track upgrade. **Did you know [we have a working NGINX config adapter](https://github.com/caddyserver/nginx-adapter)? It can turn (most of) NGINX configs into a Caddy config. Build Caddy with it plugged in, and try it out!** Some highlights: - DNS challenge support (JSON config only, for now) - Improve TLS certificate selection when using Caddyfile - Many little enhancements and bug fixes! **[See all commits since beta 13 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta.13...v2.0.0-beta.14)** 💚 **Please consider [sponsoring](https://github.com/sponsors/mholt) this project. I work on this full-time and our runway is extremely limited!** Please remember that Caddy 2 beta releases are not yet feature-complete as development is ongoing, nor are they stable; there are likely to be some breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find! Thank you to all of you who have reported bugs or requested features so far. We continue to make good progress. This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Getting Started](https://caddyserver.com/docs/getting-started) - [Full documentation](https://caddyserver.com/docs/) - [Writing a Caddy 2 module](https://caddyserver.com/docs/extending-caddy)

caddy v2.0.0-beta.15

2020-02-28T04:25:44+00:00

Caddy 2.0 beta 15 is the next pre-release in the development cycle of Caddy 2 and is the best one yet! We recommend that everyone on the beta track upgrade, test in a dev or staging environment, and then use in production! 💚 **Please consider [sponsoring](https://github.com/sponsors/mholt) this project. I work on this full-time and our runway is extremely limited!** Some highlights: - Built on Go 1.14 - Can specify custom, trusted ACME server CA roots in the Caddyfile (thanks @sarge!) - Improvements to some matchers in the Caddyfile - New `log` Caddyfile directive enables and configures access logging (a.k.a. HTTP request logs) - New `debug` Caddyfile option to enable debug mode (debug-level logs, globally) - Fixes to `basicauth` directive and error handling (thanks @roblabla!) - Fixes to TLS certificate loading - Fixes to HTTP/3 servers through config reloads - Fixes to reverse proxy health checks - Fixes to header and header_regexp matchers (thanks @gilbsgilbs!) - Several new TLS-related placeholders available (thanks @moorereason!) - The `caddy reverse-proxy` command now has a `--change-host-header` flag - The `reverse_proxy` directive can accept URLs for backend addresses - Admin endpoint can be disabled in the Caddyfile with `admin off` option - Environment variables expand nested env variables (thanks @zaquestion!) - Performance improvements with lots of TLS automation policies - Several other minor enhancements! - **Known regression: Caddyfile adapter:** [Caddy network addresses](https://caddyserver.com/docs/conventions#network-addresses) are parsed incorrectly in the `reverse_proxy` and `php_fastcgi` directives; temporary workaround is to use a working address then fix it in the JSON. **Fix is now available in https://github.com/caddyserver/caddy/commit/c83d40ccd43c8692061732974bd02fb388acd425** - please build from source to get it **[See all commits since beta 14 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta.14...v2.0.0-beta.15)** Please remember that Caddy 2 beta releases are not yet feature-complete as development is ongoing, nor are they stable; there are likely to be some breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find! This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Getting Started](https://caddyserver.com/docs/getting-started) - [Full documentation](https://caddyserver.com/docs/) - [Writing a Caddy 2 module](https://caddyserver.com/docs/extending-caddy)

caddy v2.0.0-beta.17

2020-03-14T01:26:34+00:00

Caddy 2.0 beta 17 is the next pre-release in the development cycle of Caddy 2 and is the best one yet! We recommend that everyone on the beta track upgrade, test in a dev or staging environment, and then use in production! 💚 **Please consider [sponsoring](https://github.com/sponsors/mholt) this project. I work on this full-time!** ⚠️ This release contains breaking changes. ⚠️ Some highlights: - ⚠️ **All sites served over HTTPS by default (powered by [Smallstep](https://smallstep.com)).** Any site where a hostname or IP is provided will default to HTTPS on port 443. You can always specify a higher port if permissions require it. You may be prompted for a password the first time. Public sites continue to be served with Let's Encrypt certificates. - ⚠️ **Port 2015 is no longer a default port.** - ⚠️ Certificates will be [moved to a different subfolder in storage](https://github.com/caddyserver/caddy/issues/3124). This happens automatically and no action is required by you. It is still in the same root folder tree. - ⚠️ Slight change to JSON config structure in some areas, mainly `tls` app related to certificate management. - Certificate automation has been vastly improved; especially more robust in error cases - New `caddy fmt` command formats / "cleans up" a Caddyfile - New `caddy untrust` command to uninstall a certificate from the trust store - Experimental HTTP/3 supports QUIC draft 27 - Fix for manually loaded TLS certificates - Ability to customize TLS client authentication modes/requirements - Placeholders can now be escaped `\{like so\}` (useful for JSON) - Revised HTTP->HTTPS auto-redirect algorithm - Ability to specify default ServerName in case client does not provide/support SNI - **Known bug (upstream):** We actually helped confirm [a bug in the Go 1.14 runtime](https://github.com/golang/go/issues/37741)! This release is affected, but it's not serious. If the `caddy` command spins the CPU and hangs at startup, simply terminate the process and restart. It only happens sometimes, and is only known to occur on macOS. - Fixed [regression](https://github.com/caddyserver/caddy/issues/3101) in `reverse_proxy` related to upstream address parsing. - Hotfix for beta 16, which got mangled across a bad rebase and missing CI tests that unfortunately occurred at the same time. Maybe I shouldn't have released on Friday the 13th... (**do not use beta 16**) **[See all commits since beta 15 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta.15...v2.0.0-beta.17)** Please remember that Caddy 2 beta releases are not yet feature-complete as development is ongoing, nor are they stable; there are likely to be some breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find! This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Getting Started](https://caddyserver.com/docs/getting-started) - [Full documentation](https://caddyserver.com/docs/) - [Writing a Caddy 2 module](https://caddyserver.com/docs/extending-caddy)

caddy v2.0.0-beta.18

2020-03-19T22:09:52+00:00

Caddy 2.0 beta 18 is the next pre-release in the development cycle of Caddy 2 and is the best one yet! We recommend that everyone on the beta track upgrade, test in a dev or staging environment, and then use in production! :tada: **This tag marks feature-completeness for 2.0.** While we may still add new features before v2, they are not blocking its release. Most work going forward will be cleanup, refinement, and bug fixing, for the release candidates. 💚 **Please consider [sponsoring](https://github.com/sponsors/mholt) this project. I work on this full-time!** ⚠️ This release contains breaking changes. ⚠️ Some highlights: - **[On-demand TLS](https://caddyserver.com/docs/automatic-https#on-demand-tls) is now configurable in the Caddyfile.** This enables getting certificates during TLS handshakes, convenient for SaaS deployments. - ⚠️ `strip_prefix`, `strip_suffix`, and `uri_replace` Caddyfile directives were replaced by the unified [`uri` directive](https://caddyserver.com/docs/caddyfile/directives/uri) - New `--templates` flag for the `file-server` command - Support for listener wrapper modules - Default log format is now JSON for non-interactive shells - `local_certs` global option for the Caddyfile, to default to all locally-trusted certificates - New experimental `expression` matcher supports CEL, for complex request matching logic - Built on Go 1.14.1, which fixes the spinning CPU bug in the runtime on Mac - Numerous bug fixes and enhancements! **[See all commits since beta 17 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta.17...v2.0.0-beta.18)** This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Getting Started](https://caddyserver.com/docs/getting-started) - [Full documentation](https://caddyserver.com/docs/) - [Extending Caddy](https://caddyserver.com/docs/extending-caddy)

caddy v2.0.0-beta.19

2020-03-23T17:31:05+00:00

Caddy 2.0 beta 19 is the next pre-release in the development cycle of Caddy 2 and is the best one yet! We recommend that everyone on the beta track upgrade, test in a dev or staging environment, and then use in production! 💚 **Please consider [sponsoring](https://github.com/sponsors/mholt) this project. I work on this full-time and appreciate your support!** Some highlights: - New `handle_errors` directive for powerful, flexible error handling logic - New [CEL](https://github.com/google/cel-spec) matcher - New `--watch` flag for `caddy run|start` commands to auto-reload config - Fix sporadic ACME HTTP challenge hangs - Fix matching wildcard TLS connection policies - Several fixes and improvements to auto-HTTPS logic - Numerous other little fixes and improvements! - **Known bug:** Some default configurations fail to create new Let's Encrypt accounts when needed with term agreement errors; as a workaround, specify `"http_port": 80` or `"https_port": 443` in your HTTP app config. Fixed in 4c43bf8cc8dbdaa42f3eb1fc7936afdefe3d4bbf. **[See all commits since beta 18 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta.18...v2.0.0-beta.19)** Please remember that Caddy 2 is still pre-release so there may be breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find! This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Getting Started](https://caddyserver.com/docs/getting-started) - [Full documentation](https://caddyserver.com/docs/) - [Extending Caddy](https://caddyserver.com/docs/extending-caddy)

caddy v2.0.0-beta.20

2020-03-24T19:56:48+00:00

🏷 Caddy 2.0 beta 20 is the next **and hopefully final** pre-release in the development cycle of Caddy 2 and is the best one yet! We recommend that everyone on the beta track upgrade, test in a dev or staging environment, and then use in production. 🎉 **This should be the last beta version before the release candidates.** Unless major bugs or changes are found soon, the next tag will probably be RC1. Most new features are now slated for 2.1. 💚 **Please consider [sponsoring](https://github.com/sponsors/mholt) this project. I work on this full-time and appreciate your support!** Some highlights: - ⚠️ Removed `jsonc` and `json5` config adapters, `brotli` encoder module, and `cache` HTTP middleware. We wanted to slim up the code base a little by removing modules that we deemed non-essential for our initial release. They will be available in other repositories, and you can still [plug them in](https://github.com/caddyserver/builder) if you need them. - Fix for ACME error that sometimes occurred in new/first-time deployments - reverse_proxy: Service discovery through DNS SRV records - Numerous other bug fixes and improvements **[See all commits since beta 19 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta.19...v2.0.0-beta.20)** Please remember that Caddy 2 is still pre-release so there may be breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find! This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team! ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Getting Started](https://caddyserver.com/docs/getting-started) - [Full documentation](https://caddyserver.com/docs/) - [Extending Caddy](https://caddyserver.com/docs/extending-caddy)

caddy v2.0.0-rc.1

2020-04-02T23:29:12+00:00

🎉 Release Candidate 1! A release candidate means we think the software is good enough to release, but we want to allow another cycle for bug fixes based on issues raised from the community. Now is the time to upgrade! 💚 **Please consider [sponsoring](https://github.com/sponsors/mholt) this project. I work on this full-time and appreciate your support!** This release is production-ready and should be used in production (after testing locally and in staging environments) as much as possible. We recommend that all users test and upgrade to RC1. Remember that release candidates are still pre-release, and there may be more than one release candidate depending on bug reports. **Thank you to everyone who participated in the improvements for this release, especially @Mohammed90 for being our CI wizard!** Also a huge thanks to @sarge for working on integration tests, which will get more attention in the coming months, and to @whitestrake and @francislavoie for helping in the community so much. Some highlights: - ⚠️ A few lesser-known/used properties in the JSON were changed: `not` request matchers now take an array of objects rather than a single object; removed `manage_sync` from TLS automation policies; renamed `tag` to `any_tags` and `all_tags` and removed `policy` in TLS certificate selection policies. - The `root` directive now gets evaluated before `redir` and `rewrite` by default. - New `caddy trust` command for installing Caddy's default root certificate. - Supports ACME externalAccountBinding feature, for interop with commercial CAs. - The `not` HTTP request matcher can now consult one or more matcher sets. - Numerous bug fixes and other improvements. **[See all commits since beta 20 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-beta.20...v2.0.0-rc.1)** ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Getting Started](https://caddyserver.com/docs/getting-started) - [Full documentation](https://caddyserver.com/docs/) - [Extending Caddy](https://caddyserver.com/docs/extending-caddy) ## Changelog 397e04eb caddyauth: Add Metadata field to caddyauth.User (#3174) 6fe04a30 caddyfile: Export NewTestDispenser() (close #2930) 7ee3ab7b caddyfile: Formatter enhancements deba26d2 caddyfile: Minor fixes to the formatter 73643ea7 caddyhttp: 'not' matcher now accepts multiple matcher sets and OR's them (#3208) 581f1def caddyhttp: Print actual listener address in log message (closes #2992) ac65f690 caddyhttp: Rename MatchNegate type to MatchNot type 0d2a3511 caddyhttp: Update host matcher docs about wildcards 9fb0b1e8 caddytls: Add support for externalAccountBinding ACME extension 7ca15861 caddytls: Encode big.Int as string with JSON c87f82f0 caddytls: Match automation policies by wildcard subjects too 6ca58282 caddytls: Refactor certificate selection policies (close #1575) ea3688e1 caddytls: Remove ManageSync 5c55e5d5 caddytls: Support placeholders in key_type (#3176) ce3ca541 caddytls: Update cipher suite names and curve names 673d3d00 file_server: Fix dumb error check I must have written at 1am 19b45546 go.mod: Update smallstep/truststore d322de6b gzip: Use klauspost/gzip, an optimized gzip implementation 37aa516a headers: Trim any trailing colon from field names as a courtesy 904d9cab httpcaddyfile: Include non-standard ports when mapping logger names 178ba024 httpcaddyfile: Put root directive first, before redir and rewrite 1c190b00 httpcaddyfile: Refactor site key parsing; detect conflicting schemes 244b839f pki: Add trust subcommand to install root cert (closes #3204) 1456f15f readme: So much more ... what? Fixed cliffhanger e207240f reverse_proxy: Upstream.String() method returns either LookupSRV or Dial 809e7279 rewrite: Fix for rewrites with URI placeholders (#3209)

caddy v2.0.0-rc.2

2020-04-09T19:44:07+00:00

🎉 Release Candidate 2! A release candidate means we think the software is good enough to release, but we want to allow another cycle for bug fixes based on issues raised from the community. Now is the time to upgrade! 💚 **Please consider [sponsoring](https://github.com/sponsors/mholt) this project. I work on this full-time and appreciate your support!** This release is production-ready and should be used in production (after testing locally and in staging environments) as much as possible. We recommend that all users test and upgrade to this release candidate. Thank you to everyone in the community who helpfully reported bugs and contributed to this release! Some highlights: - ⚠️ The reverse proxy's NTLM transport module was moved into [its own repository](https://github.com/caddyserver/ntlm-transport) - New `key_type` Caddyfile global option to customize certificate key type - The `not` matcher in the Caddyfile can now be a one-liner to negate a single matcher - Numerous bug fixes and other improvements - **Known issue, already fixed:** Panic when logging an error when no logs configured; upgrade to latest commit on master for fix. **[See all commits since RC 1 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-rc.1...v2.0.0-rc.2)** ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Getting Started](https://caddyserver.com/docs/getting-started) - [Full documentation](https://caddyserver.com/docs/) - [Extending Caddy](https://caddyserver.com/docs/extending-caddy) ## Changelog fbd9515d basicauth: Re-prompt after invalid credentials (fix #3239) (#3240) 7be747fb caddyhttp: Add missing LB policy Caddyfile unmarshalers (#3230) e5dc76b0 caddyhttp: CEL matcher checks return type; slight refactor 0fe98038 caddyhttp: Fix logging name associations by adding a default e30deedc caddyhttp: Return port placeholders as ints 5b355cbe caddyhttp: Strictly forbid unnecessary blocks on matchers (#3229) a3cfe437 caddyhttp: Support single-line not matcher (#3228) 85f5f47f caddytls: Don't initialize default internal issuer unless necessary d89ad2fd caddytls: Fix for TLS conn policy being applied to HTTP-only servers (#3243) 6a32daa2 caddytls: Support custom bind host for challenges (#3232) 4d9b63d9 cel: Leverage DefaultAdapter to extend CEL's type system 346c33b4 cmd: Log warning if --resume and --config used together 8b2dbc52 core: Rename ParsedAddress -> NetworkAddress 1e8af273 fastcgi: Account for lack of split path configuration (fix #3221) c5f9227a go.mod: Try smallstep again c7ac7de3 go.mod: Update CertMagic (again) v0.10.10 b6482e53 go.mod: Update CertMagic to v0.10.8 d33926b6 go.mod: Update certmagic b4a7d626 go.mod: Update dependencies 88d391c1 go.mod: Update smallstep/cli 05164c89 go.mod: Use latest Certmagic (v0.10.9) 28fdf64d httpcaddyfile, caddytls: Multiple edge case fixes; add tests 51106432 httpcaddyfile: Add key_type global option (#3231) 145aebbb httpcaddyfile: Carry bind setting through to ACME issuer (fixes #3232) 3d6fc1e1 httpcaddyfile: Yield cleaner JSON when conn policy or log name is empty 6e4132eb logging: Colorize output in all cases of stdout/stderr 6e4c688e logging: Only colorize console output f29023bf reverseproxy: Minor tweaks 2c1b6631 reverseproxy: Remove NTLM transport; refactor and improve docs b1ce9d4d templates: Add env function (closes #3237) 95f6bd7e templates: Update docs 437d5095 templates: Use text/template; add experimental notice to docs

caddy v2.0.0-rc.3

2020-04-13T19:07:28+00:00

🎉 Release Candidate 3! It is anticipated that this is the _final pre-release_. No new bug fixes or enhancements are planned. Only critical fixes that require a significant change will result in a fourth release candidate; otherwise, next tag should be v2.0.0. 💚 **Please consider [sponsoring](https://github.com/sponsors/mholt) this project. I work on this full-time and appreciate your support!** This release is production-ready and should be used in production (after testing locally and in staging environments) as much as possible. We recommend that all users test and upgrade to this release candidate. Thank you to everyone in the community who helpfully reported bugs and contributed to this release! Some highlights: - Fixed occasional logging-related panic on some HTTP requests (introduced in rc2) - Enhanced default security of admin endpoint (thanks to @kalmi for the great feedback!) **[See all commits since RC 2 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-rc.2...v2.0.0-rc.3)** ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### v2 Resources: - [Getting Started](https://caddyserver.com/docs/getting-started) - [Full documentation](https://caddyserver.com/docs/) - [Extending Caddy](https://caddyserver.com/docs/extending-caddy) ## Changelog a3bdc222 admin: Always enforce Host header checks 999ab22b caddyhttp: Add nil check (fixes #3248 and fixes #3250) ec456811 core: Don't return error on RegisterModule() and RegisterAdapter() 3bee569a httpcaddyfile: Don't remove empty TLS conn policies (fix #3249)

caddy v2.0.0

2020-05-04T17:06:42+00:00

🎉 It's here! Caddy 2 is ready for production. **[Check out the v2 landing page!](https://caddyserver.com/v2)** 💚 **Please consider [sponsoring](https://github.com/sponsors/mholt) - I work on this full-time, and it would not be possible without continued company and individual sponsors, thank you!** We recommend all users begin to [upgrade](https://caddyserver.com/docs/v2-upgrade). Please spend time in the [documentation](https://caddyserver.com/docs/). We've worked hard to make everything as clear and simple as possible. Once you have tested Caddy 2, deploy it into production. We think you'll be very pleased with the results. Keep in mind that this is just the beginning: "2.0" does not mean the software is perfect, only that it is stable. Its readiness is guided by your feedback! We will continue to develop features, quality-of-life improvements, and bug fixes (2.1 is already slated to have [30+ improvements](https://github.com/caddyserver/caddy/milestone/36)) Thank you to everyone in the community who helpfully reported bugs and contributed over the past year! **[See all commits since RC 3 here.](https://github.com/caddyserver/caddy/compare/v2.0.0-rc.3...v2.0.0)** ### Support: - [Community forum](https://caddy.community/) to ask questions, get community support, and lend your help - [Issue tracker](https://github.com/caddyserver/caddy/issues) for bug reports and dev discussion ### Resources: - [Getting Started](https://caddyserver.com/docs/getting-started) - [Full documentation](https://caddyserver.com/docs/) - [List of community modules](https://caddy.community/t/list-of-caddy-2-modules/7839?u=matt) - [Extending Caddy](https://caddyserver.com/docs/extending-caddy) ## Changelog 9a572635 admin: Close admin endpoint when shutting down (fixes #3269) f5ccb904 admin: Disable host checking if wildcard interface is specified 5ae1a561 caddyhttp: Add split_path to file matcher (used by php_fastcgi) (#3302) f931c26f caddyhttp: Better duration logging ebf07f85 caddyhttp: Fix auto redirects for catch-all HTTPS sites bacf50a5 caddyhttp: Fix common_log format's user ID placeholder (#3300) 83c85c53 caddyhttp: Fix listener overlap detection on Linux 026937fa caddyhttp: Fix trailers when recording responses (fixes #3236) 10db5702 caddyhttp: General improvements to access logging (#3301) a1796c2f caddytls: Adjust DNS challenge structure; clarify some docs 8e426610 caddytls: Finish upgrading to libdns DNS providers for ACME challenges 86a4f2c9 caddytls: Fix namespace tls.dns -> dns.providers c11d0e47 cmd: Clean up, simplify reverse proxy command; fix some edge cases 100d19e3 dangit, of course I would bork my git commit 1fa8c185 go.mod: Remove DNSProviderMaker interface; update to lego 3.6 2609a728 go.mod: Update dependencies including CertMagic (fixes #3202) 97ed9e11 httpcaddyfile: Add nil check to prevent panic, fix validation logic 829e36d5 httpcaddyfile: Don't lowercase placeholder contents (fixes #3264) bca610fb httpcaddyfile: Minor fixes to parsing storage options a77bd1d8 httpcaddyfile: Update tls parsing for DNS providers 295604d6 httpcaddyfile: Why was this code repeated?? 0798459e readme: Fix broken links (#3283) 1b061815 reverseproxy: Don't forget to provision embedded headers handler a507a5bb reverseproxy: Remove circuitbreaker module (see #3331) 76bbb473 reverseproxy: Set X-Forwarded-Proto (closes #3275) (#3276) da8686c4 reverseproxy: always set req.URL.Host with upstream (#3297)

caddy v2.1.0-beta.1

2020-06-08T19:46:15+00:00

Caddy 2.1 is now in beta! Featuring: - Embedded ACME server (powered by [Smallstep](https://smallstep.com)). Enable it with the `acme_server` HTTP handler (or Caddyfile directive). Then by default, all requests under /acme/* will be handled by the ACME server using Caddy's default built-in CA. - Fully-managed client certificate renewals. Caddy can obtain and renew client certificates it uses when reverse-proxying, totally hands-free! **Combined with the embedded ACME server, Caddy 2.1 offers fully-automated mTLS.** - H2C (HTTP2 over Cleartext TCP) support, both server and client side. This means Caddy can proxy gRPC over plaintext HTTP/2 frames. - New `handle_path` Caddyfile directive which works the same as `handle` but it must take a path matcher, and the path prefix will be stripped implicitly before invoking the handlers in the block. - Many quality-of-life improvements in the Caddyfile. - Several bug fixes and other enhancements. **Please test and upgrade to this version, and report bugs while it's still in beta!** Thank you for participating in our development cycle. ## Changelog 1dc4ec2d admin: Disallow websockets aef560c7 all: Recover from panics in goroutines 41a682dd caddyauth: Add realm to basicauth Caddyfile directive (#3315) 9a7756c6 caddyauth: Cache basicauth results (fixes #3462) (#3465) 96d6d277 caddyconfig: Don't start comments in middle of tokens (#3267) 6c051cd2 caddyconfig: Minor internal and godoc tweaks fdf2a77f caddyfile: Add args on imports (#3423) ffc125d6 caddyfile: Move NewTestDispenser into non-test file (#3439) 52305618 caddyfile: Support backticks as quotes (closes #2591) (#3242) 294910c6 caddyhttp: Add client.public_key(_sha256) placeholders 0cbf467b caddyhttp: Add time.now placeholder and update cel-go (closes #2594) 2d1f7b9d caddyhttp: Auto-redirects from all bind addresses (fix #3443) 7b0962ba caddyhttp: Default to error status if found in context 4c55d26f caddyhttp: Fix merging of Caddyfile matchers in not blocks (#3379) d5341625 caddyhttp: Match hostnames with wildcards to loggers (#3378) 7960b425 caddyhttp: Minor refactoring for preparing requests e5bbed10 caddyhttp: Refactor header matching a285fe41 caddypki: Add 'acme_server' Caddyfile directive bde3823b caddytest: Refactor Caddyfile adapt tests to separate files (#3398) e18c3730 caddytls: Actually use configured test CA 11a132d4 caddytls: Configurable cache size limit 62c9f2cf cmd: Add --envfile flag to run command (#3278) 4df56c77 cmd: Add pidfile support (closes #3235) 83551edf cmd: Only stop admin server on signal if it exists (fix #3470) 996af091 cmd: Support admin endpoint on unix socket (#3320) aa208788 cmd: file-server: add --access-log flag (#3454) bb67e19d cmd: hash-password: Fix broken terminal state on SIGINT (#3416) 5bde8d70 cmd: hash-password: Support reading from stdin (#3373) 44536a75 cmd: reverse-proxy: add --insecure flag (with warning) (#3389) ef6e53bb core: Add support for `d` duration unit (#3323) 28ab0bfb core: Support loading modules from [][]json.RawMessage fields 7243454a fastcgi: `php_fastcgi` subdirectives to override shortcut behaviour (#3255) 1e8c9764 file_server: Accept files args in one-liner of Caddyfile matcher (#3298) 9dafa639 go.mod: Update dependencies 3fb2c394 go.mod: Update dependencies d5d7fb59 go.mod: Update dependencies fae06426 httpcaddyfile: Add `auto_https` global option (#3284) 1dfb1148 httpcaddyfile: Add client_auth options to tls directive (#3335) 21de227f httpcaddyfile: Be stricter about `log` syntax (#3419) cd9317e5 httpcaddyfile: Fix route ordering bug cc8fb488 httpcaddyfile: Improve error on matcher declared outside site block (#3431) a496308f httpcaddyfile: Let modules add listener wrappers (#3397) dc9f4f13 httpcaddyfile: Make global options pluggable (#3265) 8c5d00b2 httpcaddyfile: New `handle_path` directive (#3281) 2f59467a httpcaddyfile: Only append TLS conn policy if it's non-empty (#3319) ea7e4b40 httpcaddyfile: Shorthands for parameterized placeholders (#3305) 97e61c16 httpcaddyfile: Sort site blocks with wildcards last (fix #3410) 26e55966 httpcaddyfile: Support single-line matchers (#3263) 41c7bd27 httpserver: Add experimental H2C support (#3289) bf8c3c25 log: improve rounding logic for log rolling directives (#3367) 9415feca logging: Net writer redials if write fails (#3453) c47ddbef pki: Add docs to some struct fields 184e8e9f pki: Embedded ACME server (#3198) 4b10ae5c reverseproxy: Add Caddyfile support for ClientCertificateAutomate afecd90a reverseproxy: Add tls_server_name option to Caddyfile (#3322) 1c17e6c6 reverseproxy: Allow using TLS for port 80 upstreams (see #3361) 90c7b4b0 reverseproxy: Apply response header ops before copying it (fix #3382) (#3401) 2a8a1985 reverseproxy: Don't overwrite existing X-Forwarded-Proto header 812278ac reverseproxy: Emit debug log before checking error (#3425) 7a99835d reverseproxy: Enable changing only the status code (close #2920) 538ddb85 reverseproxy: Enable response interception (#1447, #2920) 22055c5e reverseproxy: Fix https active health checks #3450 (#3451) c1e5c092 reverseproxy: Improve error message when using scheme+placeholder (#3393) 9ee01dce reverseproxy: Make debug log safe if error occurs 881b826f reverseproxy: Pool copy buffers (minor optimization) 483e31b9 templates: trim windows whitespace in SplitFrontMatter; fix #3386 (#3387) b814c0af tls/client auth: verify first certificates in client request (#3344)

caddy v2.1.0

2020-06-26T19:10:29+00:00

Caddy 2.1 introduces a variety of new features, bug fixes, and other enhancements! Highlights: - **Fully automated mTLS certificates.** Caddy 2.1 can fully manage _all_ its TLS certificates -- including TLS _client_ certificates -- using any ACME endpoint you configure. New in this version, the [reverse proxy](https://caddyserver.com/docs/modules/http.handlers.reverse_proxy) module [can be configured to present an automated client certificate](https://caddyserver.com/docs/modules/http.reverse_proxy.transport.http#tls/client_certificate_automate), just by providing its subject name in the config. We've tested it with Caddy's built-in ACME server, Let's Encrypt, Sectigo, and Smallstep ACME endpoints. Using this feature, Caddy will keep the client certificate renewed automatically. - **Embedded ACME server (powered by [Smallstep](https://smallstep.com)).** This allows other ACME clients to use Caddy as an ACME endpoint. The idea here is to replace one-off self-signed, generated certificates with proper, short-lived, auto-renewing certificates for local development and internal deployments. In other words, if you're running a command every so often to produce a self-signed certificate, use Caddy instead for proper, fully-managed internal PKI. Simply add the [`acme_server` directive](https://caddyserver.com/docs/caddyfile/directives/acme_server) to your Caddyfile for its default configuration, or use its [JSON interface](https://caddyserver.com/docs/modules/http.handlers.acme_server). - **H2C support.** Although discouraged in the general case, HTTP/2 over Cleartext HTTP (h2c) can be useful when serving or proxying gRPC locally/internally on trusted networks; and due to current poor TLS support in gRPC services currently, h2c might even be required in some cases. Caddy can now serve HTTP/2 without encryption, and it can communicate as a client with an HTTP/2 server that does not support TLS. To proxy h2c, [set the versions property](https://caddyserver.com/docs/modules/http.reverse_proxy.transport.http#versions) to include "h2c". To serve h2c, enable [allow_h2c](https://caddyserver.com/docs/modules/http#servers/allow_h2c) in your HTTP server config. - **New [`handle_path` Caddyfile directive](https://caddyserver.com/docs/caddyfile/directives/handle_path).** This works the exact same as [`handle`](https://caddyserver.com/docs/caddyfile/directives/handle), but it only accepts a path _prefix_ matcher and it strips the matched portion of the path before executing the directives contained in its block. It's a shortcut for using `handle` and `uri strip_prefix` together, which was a common-enough use case that we consolidated it into a new directive. - **Auto HTTPS can be configured in the Caddyfile.** You can use the `auto_https` [global option](https://caddyserver.com/docs/caddyfile/options) to disable it entirely, or disable only HTTP->HTTPS redirects. This is useful if you don't want to bind to any HTTP port at all. - **Various other Caddyfile improvements.** Several quality-of-life improvements for the Caddyfile, including one-line named matchers such as `@foo not path /foobar/*`, and the ability to use backticks (`) to enclose strings where double quotes (") are inconvenient. - **Reverse proxy response interception.** The reverse proxy can now [intercept and handle the response from upstream](https://caddyserver.com/docs/modules/http.handlers.reverse_proxy#handle_response) based on the response status code and/or headers. This allows you to invoke custom, arbitrary HTTP logic based on the response from a backend. - **Many bug fixes and other enhancements.** We always say this, I know, but just look at that changelog. Thank you to all who contributed and filed actionable bug reports as well as patches! Please keep it up. :) ## Changelog 1dc4ec2d admin: Disallow websockets aef560c7 all: Recover from panics in goroutines 41a682dd caddyauth: Add realm to basicauth Caddyfile directive (#3315) 9a7756c6 caddyauth: Cache basicauth results (fixes #3462) (#3465) 96d6d277 caddyconfig: Don't start comments in middle of tokens (#3267) 6c051cd2 caddyconfig: Minor internal and godoc tweaks fdf2a77f caddyfile: Add args on imports (#3423) d55c3b31 caddyhttp: Add client cert SAN placeholders ffc125d6 caddyfile: Move NewTestDispenser into non-test file (#3439) 52305618 caddyfile: Support backticks as quotes (closes #2591) (#3242) 294910c6 caddyhttp: Add client.public_key(_sha256) placeholders 0cbf467b caddyhttp: Add time.now placeholder and update cel-go (closes #2594) 2d1f7b9d caddyhttp: Auto-redirects from all bind addresses (fix #3443) 21c00a3c caddyhttp: Better host matching for logger names (fix #3488) (#3522) 7b0962ba caddyhttp: Default to error status if found in context 3af15c07 caddyhttp: Empty, not nil, query matcher matches empty query string 6db36155 caddyhttp: Enable matching empty query string 4c55d26f caddyhttp: Fix merging of Caddyfile matchers in not blocks (#3379) d5341625 caddyhttp: Match hostnames with wildcards to loggers (#3378) 7960b425 caddyhttp: Minor refactoring for preparing requests e5bbed10 caddyhttp: Refactor header matching a285fe41 caddypki: Add 'acme_server' Caddyfile directive bde3823b caddytest: Refactor Caddyfile adapt tests to separate files (#3398) e18c3730 caddytls: Actually use configured test CA 11a132d4 caddytls: Configurable cache size limit 6d03fb48 caddytls: Don't decode HMAC 62c9f2cf cmd: Add --envfile flag to run command (#3278) 4df56c77 cmd: Add pidfile support (closes #3235) 83551edf cmd: Only stop admin server on signal if it exists (fix #3470) 996af091 cmd: Support admin endpoint on unix socket (#3320) aa208788 cmd: file-server: add --access-log flag (#3454) bb67e19d cmd: hash-password: Fix broken terminal state on SIGINT (#3416) 5bde8d70 cmd: hash-password: Support reading from stdin (#3373) 44536a75 cmd: reverse-proxy: add --insecure flag (with warning) (#3389) ef6e53bb core: Add support for `d` duration unit (#3323) 28ab0bfb core: Support loading modules from [][]json.RawMessage fields b1480eb5 fastcgi: Fix php_fastcgi matcher regression (#3512) fa4cdde7 fastcgi: Make sure splitPos handles empty SplitPath correctly (#3491) 7243454a fastcgi: `php_fastcgi` subdirectives to override shortcut behaviour (#3255) 1e8c9764 file_server: Accept files args in one-liner of Caddyfile matcher (#3298) c9049bdc go.mod: Minor dependency updates 9dafa639 go.mod: Update dependencies 3fb2c394 go.mod: Update dependencies d5d7fb59 go.mod: Update dependencies cb0d9838 go.mod: Update quic-go to 0.17.1 (draft 29) and certmagic 0.11.2 (eab) fae06426 httpcaddyfile: Add `auto_https` global option (#3284) 1dfb1148 httpcaddyfile: Add client_auth options to tls directive (#3335) 21de227f httpcaddyfile: Be stricter about `log` syntax (#3419) 32cafbb6 httpcaddyfile: Fix ordering of catch-all site blocks cd9317e5 httpcaddyfile: Fix route ordering bug cc8fb488 httpcaddyfile: Improve error on matcher declared outside site block (#3431) a496308f httpcaddyfile: Let modules add listener wrappers (#3397) dc9f4f13 httpcaddyfile: Make global options pluggable (#3265) d84a5d84 httpcaddyfile: New `acme_eab` option (#3492) 8c5d00b2 httpcaddyfile: New `handle_path` directive (#3281) 2f59467a httpcaddyfile: Only append TLS conn policy if it's non-empty (#3319) ea7e4b40 httpcaddyfile: Shorthands for parameterized placeholders (#3305) 97e61c16 httpcaddyfile: Sort site blocks with wildcards last (fix #3410) 26e55966 httpcaddyfile: Support single-line matchers (#3263) 41c7bd27 httpserver: Add experimental H2C support (#3289) bf8c3c25 log: improve rounding logic for log rolling directives (#3367) 9415feca logging: Net writer redials if write fails (#3453) c47ddbef pki: Add docs to some struct fields 184e8e9f pki: Embedded ACME server (#3198) 4b10ae5c reverseproxy: Add Caddyfile support for ClientCertificateAutomate afecd90a reverseproxy: Add tls_server_name option to Caddyfile (#3322) 1c17e6c6 reverseproxy: Allow using TLS for port 80 upstreams (see #3361) 90c7b4b0 reverseproxy: Apply response header ops before copying it (fix #3382) (#3401) b3bff13f reverseproxy: Close websocket conn if req context cancels 2a8a1985 reverseproxy: Don't overwrite existing X-Forwarded-Proto header 812278ac reverseproxy: Emit debug log before checking error (#3425) 7a99835d reverseproxy: Enable changing only the status code (close #2920) 538ddb85 reverseproxy: Enable response interception (#1447, #2920) 22055c5e reverseproxy: Fix https active health checks #3450 (#3451) c1e5c092 reverseproxy: Improve error message when using scheme+placeholder (#3393) 9ee01dce reverseproxy: Make debug log safe if error occurs 881b826f reverseproxy: Pool copy buffers (minor optimization) 003403ec templates: Add support for dots to close yaml frontmatter (#3498) 483e31b9 templates: trim windows whitespace in SplitFrontMatter; fix #3386 (#3387) b814c0af tls/client auth: verify first certificates in client request (#3344)

caddy v2.1.1

2020-06-30T19:22:58+00:00

Version 2.1.1 fixes a minor regression in v2.1 related to the CEL (expression) matcher, as well as eliminating the warning about pb.proto. Both regressions were unfortunately introduced by patch updates on dependencies. This version also adds support for placeholders in the query matcher, and a WIP/experimental `map` handler that will be finalized before 2.2. ## Changelog 6004d3f7 caddyhttp: Add 'map' handler (#3199) 77f233a4 caddyhttp: Corrected host label index check (fix #3502) ddd690de caddyhttp: Support placeholders in query matcher (#3521) d7dbf855 cel: fix validation of expression result type (#3526)

caddy v2.2.0-rc.1

2020-08-11T16:32:08+00:00

The release candidate for v2.2.0 - please try it out before the final release! As always, deploy into a test or staging environment before production. Highlights: - Replaced the old underlying ACME library (lego) with [ACMEz](https://github.com/mholt/acmez) - we now have full control over the entire certificate management stack! Config reloads will be faster and certificate management at scale will be smoother. The logs for cert operations is now consistent with Caddy's structured logs. - Full support for a new ACME CA! [ZeroSSL](https://zerossl.com/features/acme/) is an alternative CA to Let's Encrypt. Its ACME endpoint is free to use! To clarify, ZeroSSL's ACME endpoint is RFC 8555-compliant and was already compatible with Caddy; we just made it easier to use by automating the EAB credentials for your convenience. (**Known issue:** Must use RSA certificate keys for now. This is queued to be fixed by upstream service provider.) - Fully customize certificate issuers from the Caddyfile. Up until now, you could only customize certain parts of the ACME issuer or choose the Internal issuer from the Caddyfile; now you have full control. - Re-introduced HTTP/2 server push similar to how it was available in Caddy v1, but now a little better. - ⚠️ The `logfmt` log encoder has been deprecated and will be removed. (It is already broken since it does not encode objects.) - Customizable DNS resolver for reverse proxy. - Numerous bug fixes and other enhancements! ## Changelog af5c148e admin,templates,core: Minor enhancements and error handling (#3607) 8a0fff58 caddyauth: hash-password: Set bcrypt cost to 14 (#3580) fb9d874f caddyfile: Export Tokenize function for lexing (#3549) 65a09524 caddyhttp: Add TLS client cert info to logs (#3640) 514eef33 caddyhttp: Add support to resolve DN in CEL expression (#3608) 6f0f159b caddyhttp: Add {http.request.body} placeholder 0bf2565c caddyhttp: Reorder some access log fields; add host matcher test case 66863aad caddytls: Add support for ZeroSSL; add Caddyfile support for issuers (#3633) efc0cc5e caddytls: Move initial storage clean op into goroutine 6a14e2c2 caddytls: Replace lego with acmez (#3621) 68529e2f cmd: Print caddy version with environ or --environ (#3627) 2ae8c119 fastcgi: Add resolve_root_symlink (#3587) 0665a86e fastcgi: Ensure leading slash, omit SERVER_PORT if empty for compliance (#3570) 3fdaf507 fastcgi: Fill REMOTE_USER with http.auth.user.id placeholder (#3577) 3860b235 fileserver: Don't assume len(str) == len(ToLower(str)) (fix #3623) 735c8665 fileserver: Enable browse pagination with offset parameter (#3542) c054a818 fileserver: Fix newly-introduced failing test on Linux (#3625) c42bfaf3 go.mod: Bump CertMagic 28d870c1 go.mod: Update quic-go, truststore, and goldmark c6d6a775 go.mod: Update some dependencies 2a5599e2 go.mod: Upgrade and downgrade smallstep, quic-go, and cpuid 6f73a358 httpcaddyfile: Add `compression` to http transport config (#3624) 584eba94 httpcaddyfile: Allow named matchers in `route` blocks (#3632) ff19bdda httpcaddyfile: Avoid repeated subjects in APs (fix #3618) 8b80a320 httpcaddyfile: Bring `enforce_origin` and `origins` to admin config (#3595) 7bfe5b6c httpcaddyfile: Reorder automation policy logic (close #3550) eda54c22 logging: ⚠️ Deprecate logfmt encoder 6cea1f23 push: Implement HTTP/2 server push (#3573) 904f149e reverse_proxy: fix bidirectional streams with encodings (fix #3606) (#3620) e9b1d7dc reverse_proxy: flush HTTP/2 response when ContentLength is unknown (#3561) 19cc2bd3 reverseproxy: Fix Caddyfile parsing for empty non-http transports (#3576) e2f913bb reverseproxy: Minor fixes and cleanup 246a31aa reverseproxy: Restore request's original host and header (fix #3509) bd9d796e reverseproxy: add support for custom DNS resolver (#3479) c3582001 templates: Disable hard wraps in Markdown rendering (#3553) a2dae1d4 templates: Fix front matter closing fence search 2bc30bb7 templates: Implement placeholders function (#3324)

caddy v2.2.0-rc.2

2020-09-17T19:03:11+00:00

The next release candidate for v2.2.0 - please try it out before the final tag! As always, deploy into a test or staging environment before production. There are a lot of commits in this release because the milestone moved while we fixed problems that were reported, and we also wanted to make sure the final v2.2 release will be good and solid. Most of these commits are bug fixes, but we've also added Caddyfile support for several features, and notably: integrated Prometheus metrics. (Thanks @hairyhenderson and other contributors! That was a team effort.) As you might expect, this release builds on [all changes in RC1](https://github.com/caddyserver/caddy/releases/tag/v2.2.0-rc.1). The documentation on our website will be updated after the final release is tagged. ## Changelog d4f24974 browse: align template to struct field renames from 4940325 (#3706) b01bb275 caddyhttp: New placeholder for PEM of client certificate (#3662) 04f50a97 caddyhttp: Wrap http.Server logging with zap (#3668) 00e6b77f caddytls: Add `dns` config to acmeissuer (#3701) 744d04c2 caddytls: Configure custom DNS resolvers for DNS challenge (close #2476) 24f34780 caddytls: Customize DNS resolvers for DNS challenge with Caddyfile 9859ab81 caddytls: Fix resolvers option of acme issuer (Caddyfile) b88e2b6a cmd: Allow `caddy fmt` to read from stdin (#3680) 49403258 fileserver: Fix inconsistencies in browse JSON 1c5969b5 fileserver: Fix new file hide tests on Windows (#3719) b95b8738 fileserver: Fix try_files for directories; windows fix (#3684) 0ee43782 fileserver: Improve file hiding logic for directories and prefixes 3ee663de go.mod: Upgrade dependencies 997ef522 go.mod: Use v0.15(.1) of smallstep libs e3324aa6 httpcaddyfile: Ensure handle_path is sorted equally to handle (#3676) 0afbab86 httpcaddyfile: Improve directive sorting logic (#3658) 4217217b httpcaddyfile: Properly record whether we added catch-all conn policy 309c1fec logging: Implement Caddyfile support for filter encoder (#3578) 8ec51bbe metrics: Initial integration of Prometheus metrics (#3709) 724b74d9 reverseproxy: Abort active health checks on context cancellation 4cd7ae35 reverseproxy: Add `buffer_requests` option to `reverse_proxy` directive (#3710) bc453fa6 reverseproxy: Correct alternate port for active health checks (#3693) d55d50b3 reverseproxy: Enforce port range size of 1 at provision (#3695) c94f5bb7 reverseproxy: Make default buffer size const fc65320e reverseproxy: Support header selection policy on `Host` field (#3653)

caddy v2.2.0-rc.3

2020-09-18T04:33:29+00:00

Use this one instead. :) ## Changelog c82c231b caddyhttp: Remove server name from metrics d16ede35 metrics: Fix hidden panic while observing with bad exemplars (#3733)

caddy v2.2.0

2020-09-24T18:00:43+00:00

We are pleased to release Caddy 2.2! Our community has spent a lot of time on bug fixes, as well as some new features you will like. Highlights: - Full support for [ZeroSSL](https://zerossl.com/features/acme/), a new ACME CA that is a viable alternative to Let's Encrypt. Its ACME endpoint is free to use and might even be a better fit for your deployment depending on your requirements (for example, it does not have tight rate limits and does not require the DNS challenge for wildcard certs). To clarify, ZeroSSL's ACME endpoint is RFC 8555-compliant and was already compatible with Caddy; we just made it easier to use by automating the EAB credentials for your convenience. - We now have full control over our ACME stack! By [replacing](https://github.com/caddyserver/certmagic/issues/71) our previous underlying ACME library (lego) with [ACMEz](https://github.com/mholt/acmez), Caddy can offer: - faster config reloads - more efficient cert management at scale - a more intuitive configuration experience - lighter builds - structured logs that are consistent with Caddy's other logs (which [you have fine-grained control over](https://caddyserver.com/docs/json/logging/)). - (we no longer suffer from the limitations still shared by other lego-based ACME clients) - Integrated support for Prometheus metrics. We decided that emitting metrics is something the core of the server has to do, rather than only a separate module. We will continue improving this with time. Huge thanks to @hairyhenderson for his skillful contributions. - [HTTP/2 server push has been re-introduced](https://caddyserver.com/docs/json/apps/http/servers/routes/handle/push/), this time better than it was in Caddy 1. - Caddyfile enhancements, including: - Fully customize certificate issuers from the Caddyfile. Up until now, you could only customize certain parts of the ACME issuer or choose the Internal issuer from the Caddyfile; now you have full control. - Named matchers can be defined inside `route` blocks. - Customize log encoders. - `dns` property for `issuer` subdirective of `tls` directive that allows full customization of DNS challenge (those providers which support the Caddyfile) - Bug fixes - ⚠️ The `logfmt` log encoder has been deprecated and will be removed. (It is already broken since it does not encode objects, so if you used it you probably stopped using it anyway.) - Customizable DNS resolver for reverse proxy - Latest HTTP/3 version - Numerous bug fixes and other enhancements! Notable bug fixes related to: - ACME DNS challenge providers - Custom resolvers for the DNS challenge - ACME EAB (External Account Binding) - Panic recovery - Startup time when managing lots of certificates - Correct port for active health checks (reverse_proxy module) - Windows paths - File hiding logic (file_server module) - Bidirectional streaming (reverse_proxy module; specifically benefits v2ray use) - More consistent, structured error logging when produced from HTTP code in Go's standard library - New placeholders and log fields, especially pertaining to TLS, ACME, and HTTP Special thanks to @francislavoie and @Mohammed90 and @hairyhenderson and others in our community for their continual aid with many bug reports and feature requests. ## Changelog (Includes pre-releases) af5c148e admin,templates,core: Minor enhancements and error handling (#3607) d4f24974 browse: align template to struct field renames from 4940325 (#3706) 8a0fff58 caddyauth: hash-password: Set bcrypt cost to 14 (#3580) fb9d874f caddyfile: Export Tokenize function for lexing (#3549) 6f0f159b caddyhttp: Add {http.request.body} placeholder 514eef33 caddyhttp: Add support to resolve DN in CEL expression (#3608) 65a09524 caddyhttp: Add TLS client cert info to logs (#3640) b01bb275 caddyhttp: New placeholder for PEM of client certificate (#3662) c82c231b caddyhttp: Remove server name from metrics 0bf2565c caddyhttp: Reorder some access log fields; add host matcher test case 04f50a97 caddyhttp: Wrap http.Server logging with zap (#3668) 00e6b77f caddytls: Add `dns` config to acmeissuer (#3701) 66863aad caddytls: Add support for ZeroSSL; add Caddyfile support for issuers (#3633) 744d04c2 caddytls: Configure custom DNS resolvers for DNS challenge (close #2476) 24f34780 caddytls: Customize DNS resolvers for DNS challenge with Caddyfile 9859ab81 caddytls: Fix resolvers option of acme issuer (Caddyfile) efc0cc5e caddytls: Move initial storage clean op into goroutine 6a14e2c2 caddytls: Replace lego with acmez (#3621) b88e2b6a cmd: Allow `caddy fmt` to read from stdin (#3680) 68529e2f cmd: Print caddy version with environ or --environ (#3627) 2ae8c119 fastcgi: Add resolve_root_symlink (#3587) 0665a86e fastcgi: Ensure leading slash, omit SERVER_PORT if empty for compliance (#3570) 3fdaf507 fastcgi: Fill REMOTE_USER with http.auth.user.id placeholder (#3577) 3860b235 fileserver: Don't assume len(str) == len(ToLower(str)) (fix #3623) 735c8665 fileserver: Enable browse pagination with offset parameter (#3542) 49403258 fileserver: Fix inconsistencies in browse JSON 1c5969b5 fileserver: Fix new file hide tests on Windows (#3719) c054a818 fileserver: Fix newly-introduced failing test on Linux (#3625) b95b8738 fileserver: Fix try_files for directories; windows fix (#3684) 0ee43782 fileserver: Improve file hiding logic for directories and prefixes c42bfaf3 go.mod: Bump CertMagic 28d870c1 go.mod: Update quic-go, truststore, and goldmark c6d6a775 go.mod: Update some dependencies 2a5599e2 go.mod: Upgrade and downgrade smallstep, quic-go, and cpuid 3ee663de go.mod: Upgrade dependencies 997ef522 go.mod: Use v0.15(.1) of smallstep libs 6f73a358 httpcaddyfile: Add `compression` to http transport config (#3624) 584eba94 httpcaddyfile: Allow named matchers in `route` blocks (#3632) ff19bdda httpcaddyfile: Avoid repeated subjects in APs (fix #3618) 8b80a320 httpcaddyfile: Bring `enforce_origin` and `origins` to admin config (#3595) fe27f9cf httpcaddyfile: Disallow args on route/handle directive family (#3740) e3324aa6 httpcaddyfile: Ensure handle_path is sorted equally to handle (#3676) be6daa5f httpcaddyfile: Fix panic when parsing route with matchers (#3746) 0afbab86 httpcaddyfile: Improve directive sorting logic (#3658) 4217217b httpcaddyfile: Properly record whether we added catch-all conn policy 7bfe5b6c httpcaddyfile: Reorder automation policy logic (close #3550) eda54c22 logging: :warning: Deprecate logfmt encoder 309c1fec logging: Implement Caddyfile support for filter encoder (#3578) f197cec7 metrics: Always track method label in uppercase (#3742) d16ede35 metrics: Fix hidden panic while observing with bad exemplars (#3733) b1d456d8 metrics: Fix panic when headers aren't written (#3737) 8ec51bbe metrics: Initial integration of Prometheus metrics (#3709) 6cea1f23 push: Implement HTTP/2 server push (#3573) 904f149e reverse_proxy: fix bidirectional streams with encodings (fix #3606) (#3620) e9b1d7dc reverse_proxy: flush HTTP/2 response when ContentLength is unknown (#3561) 724b74d9 reverseproxy: Abort active health checks on context cancellation 4cd7ae35 reverseproxy: Add `buffer_requests` option to `reverse_proxy` directive (#3710) bd9d796e reverseproxy: add support for custom DNS resolver (#3479) bc453fa6 reverseproxy: Correct alternate port for active health checks (#3693) d55d50b3 reverseproxy: Enforce port range size of 1 at provision (#3695) 19cc2bd3 reverseproxy: Fix Caddyfile parsing for empty non-http transports (#3576) c94f5bb7 reverseproxy: Make default buffer size const e2f913bb reverseproxy: Minor fixes and cleanup 246a31aa reverseproxy: Restore request's original host and header (fix #3509) fc65320e reverseproxy: Support header selection policy on `Host` field (#3653) c3582001 templates: Disable hard wraps in Markdown rendering (#3553) a2dae1d4 templates: Fix front matter closing fence search 2bc30bb7 templates: Implement placeholders function (#3324)

caddy v2.2.1

2020-10-13T17:44:12+00:00

This patch release contains a number of bug fixes. Thanks for the reports and the help in debugging them! ## Changelog 85152679 admin: lower log level to Debug for /metrics requests (#3749) a33e4b54 caddyfile: Add support for `vars` and `vars_regexp` matchers (#3730) 385adf5d caddyhttp: Restore original request params before error handlers (#3781) 0fc47e83 map: Apply default if mapped output is nil ef8a372a map: Bug fixes; null literal with hyphen in Caddyfile 25d2b4bf map: Reimplement; multiple outputs; optimize dadfe193 metrics: fix handler to not run the next route (#3769) 3b9eae70 reverseproxy: Change 500 error to 502 for lookup_srv config (#3771) c7efb030 reverseproxy: Fix dial placeholders, SRV, active health checks (#3780) fdfdc033 reverseproxy: Ignore RFC 1521 params in Content-Type header (#3758) 6722426f reverseproxy: allow no port for SRV; fix regression in d55d50b (#3756) aa9c3eb7 reverseproxy: default to port 80 for upstreams in Caddyfile (#3772)

caddy v2.3.0-beta.1

2020-11-30T20:14:31+00:00

Caddy 2.3 beta 1 is the first pre-release for Caddy 2.3! Please help test it in appropriate staging/test environments, and low-risk production environments. Major features and improvements include: - **Multi-issuer support.** Caddy can now get certificates from multiple issuers for redundancy; if one fails, another will be tried. Caddy's new defaults are Let's Encrypt and ZeroSSL. Caddy is the first web server to support multiple issuers, offering unrivaled reliability for your site's HTTPS. It is the first ACME client to support multiple CA fallbacks. - **Improved on-demand TLS.** On-demand TLS is where certificate obtain/renew operations are triggered on a TLS handshake that requires them. We've moved a lot of the processing to the background where possible (e.g. when an existing certificate is still usable) so more connections will finish their handshakes faster, and fewer handshakes will fail (however, you still need to watch the logs and fix the errors before it's too late). - **Support for alternate certificate chains.** You can now customize which certificate chains to download from ACME servers that offer more than one. - **New `map` handler is ready for production use.** It's been in Caddy for a few versions now but it's finally ready for production, with enhanced efficiency and functionality. It will be added to the documentation shortly. We have been using this handler with a customer in production for a while now, on an instance that is handling thousands of sites. - **Customize servers and listeners with the Caddyfile.** The Caddyfile structure is oriented around sites for convenience, so customizing servers has not been possible until now. You can now use global options to configure servers and their listeners (for example, protocol options, socket read options, and more) without having to use JSON config. This release also contains numerous bug fixes and other enhancements. Please help test it and report any issues with as much detail and simplification as you can, thank you! This release is the work of at least 16 contributors. ## Changelog c5197f59 acme_server: fix reload of acme database (#3874) 06ba006f acme_server: switch to bbolt storage (#3868) 7a3d9d81 basicauth: Minor internal improvements (#3861) 937ec342 caddyauth: Prevent user enumeration by timing c6dec305 caddyfile: Add support for env var defaults; add tests (#3682) 4fc57071 caddyhttp: Fix header matcher when using nil 966d5e6b caddyhttp: Merge header matchers in Caddyfile (#3832) b4f49e29 caddyhttp: Merge query matchers in Caddyfile (#3839) 1438e4db caddyhttp: New idle_timeout default of 5m 349457cc caddyhttp: Return error if error handling error b0f8fc7a caddytls: Configure trusted CAs from PEM files (#3882) 95af4262 caddytls: Support ACME alt cert chain preferences 13781e67 caddytls: Support multiple issuers (#3862) eda9a1b3 fastcgi: Add timeouts support to Caddyfile adapter (#3842) 7d7434c9 fileserver: Add debug logging 8d038ca5 fileserver: Improve and clarify file hiding logic (#3844) 0a7721dc fileserver: Preserve transformed root (fix #3838) b6e96d6f go.mod: Update CertMagic 1e480b81 go.mod: update quic-go to v0.19.2 (#3880) a26f70a1 headers: Fix Caddyfile parsing with request matcher (#3892) b0d5c2c8 headers: Support default header values in Caddyfile with '?' (#3807) 7c28ecb5 httpcaddyfile: Add certificate_pem placeholder short, add to godoc (#3846) 3cfefeb0 httpcaddyfile: Configure servers via global options (#3836) 03d853e2 httpcaddyfile: Fix test on Windows b6686a54 httpcaddyfile: Improve AP logic with OnDemand 63afffc2 httpcaddyfile: Proper log config with catch-all blocks (fix #3878) db4f1c02 httpcaddyfile: Revise automation policy generation (#3824) dd26875f logging: Fix for IP filtering 670b723e requestbody: Add Caddyfile support (#3859) 99b8f444 reverse_proxy: Fix random_choose selection policy (#3811) 4a641f6c reverseproxy: Add Caddyfile scheme shorthand for h2c (#3629) b6609937 reverseproxy: Add max_idle_conns_per_host; fix godocs (#3829) 53aa60af reverseproxy: Handle "operation was canceled" errors (#3816) 6e0849d4 reverseproxy: Implement cookie hash selection policy (#3809) 96058538 reverseproxy: Logging for streaming and upgrades (#3689) 860cc6ad reverseproxy: Wire up some http transport options in Caddyfile (#3843) c9fdff99 reverseproxy: caddyfile: Don't add port if upstream has placeholder (#3819) 6ea6f3eb reverseproxy: fix random hangs on http/2 requests with server push (#3875)

caddy v2.3.0-rc.1

2020-12-12T21:02:17+00:00

This is the first release candidate. We think 2.3 is ready to go, but we want to be extra sure! Please try it out in low-risk deployments and report any problems. Thank you! Docs will be updated over the coming days and weeks. See the additional release notes from the beta release if you're coming from 2.2. :warning: The `remote_ip` matcher no longer reads the X-Forwarded-For header by default. This was undocumented behavior, and an unsafe default. If you happened to be relying on this, please enable `forwarded` (in the Caddyfile, just put `forwarded` as the first argument before the ranges) to maintain that behavior. Remember that headers are very easy to spoof. ## Changelog 4cff36d7 caddyauth: Use buffered channel passed to signal.Notify (#3895) 3d0e0462 caddyauth: Use structured log 63bda6a0 caddyhttp: Clean up internal auto-HTTPS redirect code b8a799df caddyhttp: Document that remote_ip reads X-Forwarded-For header 9157051f caddyhttp: Optimize large host matchers deedf8ab caddyhttp: Optionally use forwarded IP for remote_ip matcher e7a5a385 cmd: add ability to read config from stdin (#3898) 6e9ac248 fastcgi: Set PATH_INFO to file matcher remainder as fallback (#3739) a7481516 go.mod: Update CertMagic (fix #3911) 31fbcd74 go.mod: Upgrade some dependencies 5643dc3f go.mod: update quic-go to v0.19.3 (#3901) 7e719157 httpcaddyfile: Decrement counter when removing conn policy (fix #3906) c898a37f httpcaddyfile: support matching headers that do not exist (#3909)

caddy v2.3.0

2021-01-01T00:02:56+00:00

Caddy 2.3 is the first web server to be able to get certificates from multiple issuers (for redundancy)! We've also optimized several things for large-scale deployments, as there are businesses using Caddy to serve tens of thousands of sites per instance. The main highlights of this release include: - **Multi-issuer support.** Caddy can now get certificates from [multiple issuers for redundancy](https://caddyserver.com/docs/automatic-https#issuer-fallback); if one fails, another will be tried. Caddy's new defaults are Let's Encrypt and ZeroSSL. You can customize these, including adding local/self-signed certificates as a last resort if desired. Caddy is the first web server to support multiple issuers, offering unrivaled reliability for your site's HTTPS. It is the first ACME client to support multiple CA fallbacks. - **Improved on-demand TLS.** [On-demand TLS](https://caddyserver.com/docs/automatic-https#on-demand-tls) is an operating mode by which certificate obtain/renew operations are triggered on a TLS handshake that requires them, rather than happening at config-load time. We've moved a lot of the processing to the background where possible (e.g. when an existing certificate is still usable) so more connections will finish their handshakes faster, and fewer handshakes will fail (however, you still need to watch the logs and fix the errors before it's too late). Several businesses we know of currently rely on this unique feature at a scale of tens of thousands of sites. - **Support for alternate certificate chains.** You can now [customize which certificate chains to download](https://caddyserver.com/docs/json/apps/tls/automation/policies/issuer/acme/preferred_chains/) from ACME servers that offer more than one. - **[New `map` handler](https://caddyserver.com/docs/modules/http.handlers.map) is ready for production use.** ([Caddyfile docs](https://caddyserver.com/docs/caddyfile/directives/map)) It's been in Caddy for a few versions now but it's finally ready for production, with enhanced efficiency and functionality. We have been using this handler with a customer in production for a while now, on an instance that is handling thousands of sites. - **[Customize servers and listeners](https://caddyserver.com/docs/caddyfile/options#server-options) with the Caddyfile.** The Caddyfile structure is oriented around sites for convenience, so customizing servers has not been possible until now. You can now use global options to configure servers and their listeners (for example, protocol options, socket read options, and more) without having to use JSON config. Of course, there are also numerous bug fixes and other enhancements, including bringing more configuration options into the Caddyfile. Thank you to everyone who contributed code, code reviews, or participated in the pre-releases. There are a couple of minor breaking changes, but one was not documented and the other has always been an experimental feature: - :warning: The `remote_ip` matcher no longer reads the X-Forwarded-For header by default. This was undocumented behavior, and an unsafe default. If you happened to be relying on this, please enable `forwarded` (in the Caddyfile, just put `forwarded` as the first argument before the ranges) to maintain that behavior. Remember that headers are very easy to spoof. - :warning: The `experimental_http3` global option in the Caddyfile has been replaced with [global server options](https://github.com/caddyserver/caddy/commit/3cfefeb0f71d54f1d9a76a63be7b97d0943c88ef), one of which is the `experimental_http3` protocol. Docs will be updated shortly. This is still an unstable feature until HTTP/3 is finalized and our upstream QUIC/H3 lib is stable and we've decided to keep HTTP/3 enabled in the core by default. Along with this release, we've taken the opportunity to consolidate our documentation regarding getting/installing Caddy. There is no more `/docs/download` page, instead it was combined with [`/docs/install`](https://caddyserver.com/docs/install) which better organizes the various official and unofficial ways to get Caddy. (To be clear, our [download page at `/download`](https://caddyserver.com/download) is still available.) Also, we started using Cloudsmith for our Debian packaging -- they're donating this service to our open source project and their team has been a pleasure to work with. This release is the work of at least 20 contributors. Thank you! ## Changelog c5197f5 acme_server: fix reload of acme database (#3874) 06ba006 acme_server: switch to bbolt storage (#3868) 7a3d9d8 basicauth: Minor internal improvements (#3861) 937ec34 caddyauth: Prevent user enumeration by timing 4cff36d7 caddyauth: Use buffered channel passed to signal.Notify (#3895) 3d0e0462 caddyauth: Use structured log c6dec30 caddyfile: Add support for env var defaults; add tests (#3682) 635f075 caddyfile: Fix minor bug in formatter 63bda6a0 caddyhttp: Clean up internal auto-HTTPS redirect code b8a799df caddyhttp: Document that remote_ip reads X-Forwarded-For header 4fc5707 caddyhttp: Fix header matcher when using nil 966d5e6 caddyhttp: Merge header matchers in Caddyfile (#3832) b4f49e2 caddyhttp: Merge query matchers in Caddyfile (#3839) 1438e4d caddyhttp: New idle_timeout default of 5m 9157051f caddyhttp: Optimize large host matchers deedf8ab caddyhttp: Optionally use forwarded IP for remote_ip matcher 349457c caddyhttp: Return error if error handling error b0f8fc7 caddytls: Configure trusted CAs from PEM files (#3882) e384f07 caddytls: Improve alt chain preference settings 95af426 caddytls: Support ACME alt cert chain preferences 13781e6 caddytls: Support multiple issuers (#3862) e7a5a385 cmd: add ability to read config from stdin (#3898) eda9a1b fastcgi: Add timeouts support to Caddyfile adapter (#3842) 6e9ac248 fastcgi: Set PATH_INFO to file matcher remainder as fallback (#3739) 7d7434c fileserver: Add debug logging d8bcf5b fileserver: Fix "go up" links in browse listings (closes #3942) 8d038ca fileserver: Improve and clarify file hiding logic (#3844) 0a7721d fileserver: Preserve transformed root (fix #3838) b6e96d6 go.mod: Update CertMagic a7481516 go.mod: Update CertMagic (fix #3911) 1e480b8 go.mod: update quic-go to v0.19.2 (#3880) 5643dc3f go.mod: update quic-go to v0.19.3 (#3901) 31fbcd74 go.mod: Upgrade some dependencies a26f70a headers: Fix Caddyfile parsing with request matcher (#3892) b0d5c2c headers: Support default header values in Caddyfile with '?' (#3807) 7c28ecb httpcaddyfile: Add certificate_pem placeholder short, add to godoc (#3846) 3cfefeb httpcaddyfile: Configure servers via global options (#3836) 7e719157 httpcaddyfile: Decrement counter when removing conn policy (fix #3906) 03d853e httpcaddyfile: Fix test on Windows b6686a5 httpcaddyfile: Improve AP logic with OnDemand 63afffc httpcaddyfile: Proper log config with catch-all blocks (fix #3878) db4f1c0 httpcaddyfile: Revise automation policy generation (#3824) c898a37f httpcaddyfile: support matching headers that do not exist (#3909) dd26875 logging: Fix for IP filtering ebc278e metrics: allow disabling OpenMetrics negotiation (#3944) 670b723 requestbody: Add Caddyfile support (#3859) 99b8f44 reverse_proxy: Fix random_choose selection policy (#3811) 4a641f6 reverseproxy: Add Caddyfile scheme shorthand for h2c (#3629) b660993 reverseproxy: Add max_idle_conns_per_host; fix godocs (#3829) 53aa60a reverseproxy: Handle "operation was canceled" errors (#3816) 6e0849d reverseproxy: Implement cookie hash selection policy (#3809) 9605853 reverseproxy: Logging for streaming and upgrades (#3689) 132525d reverseproxy: Minor lint fixes 860cc6a reverseproxy: Wire up some http transport options in Caddyfile (#3843) c9fdff9 reverseproxy: caddyfile: Don't add port if upstream has placeholder (#3819) 6ea6f3e reverseproxy: fix random hangs on http/2 requests with server push (#3875)

caddy v2.4.0-beta.1

2021-02-15T19:51:15+00:00

_"Surprise, surprise, surprise!"_ (Do you know which classic TV character that quote is from?) We've made a lot of progress on new features since v2.3, and all the major work slated for v2.4 is already done! This is a _preview release_. **This is a _preview release_.** There's still some fine-tuning we need to do which is delaying the release candidates, but I wanted to roll out some of the exciting improvements early so you can start testing them. As far as I can tell, this tag is relatively stable. However, please expect bugs; though I bet most of them will be minor or limited to edge cases. Documentation will be updated in the coming weeks. Until then, please refer to individual commits/issues (below) and the code base directly (it is easy to search and read) for docs. We're happy to help [on our forums](https://caddy.community) too. Highlights: - **Secure remote management.** You can now enable secure remote access to Caddy's admin API! It uses TLS mutual authentication, and you can even define permissions for different users. PR #3994 - **Config pull at start.** Caddy can be configured to load a different config at startup. This is useful if your config is federated through a separate system that doesn't have the ability to push configs to Caddy. This feature is modular! PR #3994 - **Server identity management.** Caddy can manage its own server identity certificate, which can be used when negotiating TLS connections with peers. This is required when enabling the secure admin API. PR #3994 - **Self-upgrade command.** The new `caddy upgrade` command will replace the current Caddy binary with an upgraded one from our website, with all the same modules installed, including third-party plugins! (We can use this code to add/remove modules later, too.) - **Caddyfile `fmt` lint check.** When running with a Caddyfile, Caddy will emit a warning if the Caddyfile is not formatted with `caddy fmt`. - **New `abort` directive.** The `abort` directive is a special case of the `static_response` HTTP handler that _prevents_ an HTTP response by aborting the handler chain immediately and forcefully closing the connection. - **Better `caddy list-modules` output.** Now modules are organized by standard and non-standard modules, so you can easily see if a Caddy build has been customized. - **:warning: Removed the `logfmt` log encoder.** It was broken anyways, and its deprecation has been warned in previous releases. - **Numerous bug fixes and improvements.** Thanks for the detailed, helpful bug reports! We appreciate your collaboration in making Caddy better. Many other things have been added, changed, or improved as well. See all the commits for details. Please give this a try in low-risk environments as soon as you can, and we'll be able to ship a better v2.4 stable! ## Changelog bf50d701 acmeserver: Support custom CAs from Caddyfile ab80ff4f admin: Identity management, remote admin, config loaders (#3994) 3366384d caddycmd: Add upgrade command (#3972) c8557dc0 caddyfile: Introduce basic linting and fmt check (#3923) f0216967 caddyfile: Refactor unmarshaling of module tokens 8ec90f1c caddyhttp: Check for invalid subdirectives of static_response bef80cd8 caddyhttp: Fix redir html status code, improve flow (#3987) e2c5c285 caddyhttp: Implement handler abort; new 'abort' directive (close #3871) (#3983) cc63c580 caddyhttp: Support placeholders in header matcher values (close #3916) 160d1999 caddytest: Update Caddyfile tests for formatting, HTTP-only blocks 09432ba6 caddytls: Configurable OCSP stapling; global option (closes #3714) 51e3fdba caddytls: Save email with account if not already specified 8b6fdc04 caddytls: add 'key_type' subdirective (#3956) 2772ede4 cmd: Add --force flag to reload command (close #4005) ed678235 cmd: Clean up `build-info` and `upgrade` output 59071ea1 cmd: Implement sd_notify() to notify systemd about readiness (#3963) 144b65cf cmd: Organize list-modules output; --packages flag (#3925) 8f6f9865 cmd: Print more detailed version with --environ b1bec8c8 go.mod: Update CertMagic and acmez (improved IDN support) 8c291298 httpcaddyfile: Add resolvers subdir of tls (close #4008) 7846bc1e httpcaddyfile: Adjust iterator when removing AP (fix #3953) 653a0d3f httpcaddyfile: Fix automation policies 90284e80 httpcaddyfile: Fix default issuers when email provided d68cff8e httpcaddyfile: Skip TLS APs for HTTP-only hosts (fix #3977) 55e49ff5 httpcaddyfile: Sort catch-all site blocks properly (fix #4003) c2b91dbd httpcaddyfile: Support repeated use of cert_issuer global option c9861106 httpcaddyfile: Warn if site address uses unspecified IP (close #4004) ef544832 logging: Remove logfmt encoder (close #3575) 58e83a81 map: Add missing json struct tag 3c9256a1 reverseproxy: Caddyfile health check headers, host header support (#3948) 5ef76ff3 reverseproxy: Response buffering & configurable buffer size 88a38bd0 rewrite: Use RawPath instead of Path (fix #3596) (#3918) 14f50d9d templates: Add fileExists and httpError template actions

caddy v2.4.0-beta.2

2021-04-02T00:21:55+00:00

The beta channel marches on for 2.4 with beta 2. In addition to the changes/additions/improvements from the previous beta, this release includes: - Caddyfile: global option to configure loggers - Content negotation: precompressed sidecar files (static file server) - Dark mode in static file server's "browse" directory listings - Caddyfile: New `error` directive to return internal error values in HTTP handler chain - Caddyfile: Configure other apps from global options of HTTP Caddyfile - :warning: reverse_proxy: Deprecate `health_path` in favor of `health_uri` for active health checks - reverse_proxy: New placeholders related to latency and duration - Fixed DNS challenge for several providers. ## Changelog a87f757f .gitignore: add IDE files (#4087) 28a41599 CONTRIBUTING: fix spelling (#4070) aac1ccf1 caddy: Add InstanceID() method ec3ac840 caddy: Support SetReadBuffer and SyscallConn for QUIC (fix #3998) 2a127ac3 caddyconfig: add global option for configuring loggers (#4028) d63d5ae1 caddyhttp: improve grammar of comment for AllowH2C (#4072) ec309c6d caddypki: Add SignWithRoot option for ACME server f6bb02b3 caddytls: Remove old asset migration code (close #3894) 911c8a37 cmd: Use formatted logger for config adapter warnings (#4080) 87fbc078 cmd: main: fix minor doc typos (#4082) a8fdc0a9 core: Initialize logging before admin f35a7fa4 encode,staticfiles: Content negotiation, precompressed files (#4045) 0018b9be fileserver: Add a few more debug lines (#4063) a48c6205 fileserver: Browse listing supports dark mode (#4066) 5bf0a55d fileserver: Don't replace in request paths (fix #4027) 427bbe99 go.mod: Latest CertMagic (updated libdns conventions) 1c8ea008 go.mod: Migrate to golang.org/x/term (#4073) a0a7c60c go.mod: Use latest CertMagic f1c36680 headers: Fix Caddyfile parsing for `request_header` with matchers (#4085) 0d7fe360 httpcaddyfile: Add `error` directive for the existing handler (#4034) bafb5629 httpcaddyfile: Configure other apps from global options (#3990) edb362aa httpcaddyfile: Fix catch-all site block sorting f137b822 logging: add replace filter for static value replacement (#4029) 802f80c3 map: Accept regex substitution in outputs (#3991) 6722ae3a reverseproxy: Add duration/latency placeholders (close #4012) (#4013) ce5a0934 reverseproxy: Fix round robin data race (#4038) 51f35ba0 reverseproxy: Fix upstreams with placeholders with no port (#4046) 75f797de reverseproxy: Implement health_uri, deprecate health_path, supports query (#4050) bd357bf0 reverseproxy: Set cookie path to `/` when using cookie lb_policy (#4096) ad8d01cb rewrite: Implement regex path replacements a6bc5815 sigtrap_posix: add missing comma to SIGTERM info (#4078)

caddy v2.4.0-rc.1

2021-05-03T18:02:07+00:00

This is a Release Candidate, meaning we think it's good enough to release but we want your help to make sure. It contains over 100 commits from the last stable release! Please report any bugs. If you're coming from v2.3, be sure to check the change logs from the previous pre-releases as well. ## Changelog a8d45277 caddyfile: Fix `import` replacing unrelated placeholders (#4129) 3401f91d caddyfile: Normalize line endings before comparing fmt result (#4103) 3903642a caddyfile: reject cyclic imports (#4022) d789596b caddyhttp: Implement better logic for inserting the HTTP->HTTPS redirs (#4033) 53ececda caddyhttp: performance improvement in HeaderRE Matcher (#4143) 1e218e1d caddytls: Add `load_storage` module (#4055) 42b7134f caddytls: Configurable storage clean interval 2250920e caddytls: Disable OCSP stapling for manual certs (#4064) 956f0116 caddytls: Implement remote IP connection matcher (#4123) e6f6d3a4 cmd: Add --envfile flag to `start` command (#4141) 3f6283b3 fileserver: Add status code override (#4076) 3a1e81db fileserver: Better handling of HTTP status override (#4132) 637fd8f6 fileserver: Share template logic for both `templates` and `file_server browse` (#4093) 00e12aa9 fuzz: fix the FuzzFormat comparison (#4117) efe84497 go.mod: CertMagic v0.13.1 66783eb4 go.mod: Update quic-go to v0.20.1 (#4075) ef7f15f3 httpcaddyfile: Add `auto_https ignore_loaded_certs` (#4077) 6e0e3e15 httpcaddyfile: Add global option for `storage_clean_interval` (#4134) 1455d6bb httpcaddyfile: Fix panic in automation policy consolidation (#4104) ff6ca577 httpcaddyfile: Fix unexpectedly removed policy (#4128) 96bb3659 httpcaddyfile: Take into account host scheme/port (fix #4113) 45fb7202 notify: Send all sd_notify signals from main caddy process (#4060) e4a22de9 reverseproxy: Add `handle_response` blocks to `reverse_proxy` (#3712) (#4021) 4d0474e3 reverseproxy: Admin endpoint for reporting upstream statuses (#4125) 90175571 reverseproxy: fix hash selection policy (#4137)

caddy v2.4.0

2021-05-10T20:07:36+00:00

Caddy v2.4.0 is our first stable release of 2021, ushering in over 110 patches including new features and bug fixes. Thank you to the many contributors who helped make this possible! Highlights: - **Secure remote management.** You can now [enable secure remote access](https://caddyserver.com/docs/json/admin/remote/) to Caddy's [admin API](https://caddyserver.com/docs/api)! It uses TLS mutual authentication, and you can even define permissions for different users. PR #3994 - **Config pull at start.** Caddy can be configured to [load a different config at startup](https://caddyserver.com/docs/json/admin/config/load/). This is useful if your config is federated through a separate system that doesn't have the ability to push configs to Caddy. This feature is modular, so configurations can be loaded different ways! PR #3994 - **Server identity management.** Caddy can [automatically manage its own server identity certificate](https://caddyserver.com/docs/json/admin/identity/), which can be used when negotiating TLS connections with peers. This is required when enabling the secure admin API. PR #3994 - **Self-upgrade command.** The [new `caddy upgrade` command](https://caddyserver.com/docs/command-line#caddy-upgrade) will replace the current Caddy binary with an upgraded one from our website, with all the same modules installed, including third-party plugins that are registered on our site! (We can use this code to add/remove modules later, too.) - **Configure other apps from the HTTP Caddyfile.** The global options block of the Caddyfile now allows configuration of Caddy apps other than HTTP (for example, [dynamic_dns](https://github.com/mholt/caddy-dynamicdns) to keep DNS records pointed at your server with a dynamic IP address). - **Caddyfile `fmt` lint check.** When running with a Caddyfile, Caddy will emit a warning if the Caddyfile is not formatted with `caddy fmt`. - **New `abort` directive.** [The `abort` directive](https://caddyserver.com/docs/caddyfile/directives/abort) is a special case of the `static_response` HTTP handler that _prevents_ an HTTP response by aborting the handler chain immediately and forcefully closing the connection. - **New `error` directive.** [The `error` directive](https://caddyserver.com/docs/caddyfile/directives/error) returns internal error values in the HTTP handler chain, as if an HTTP error had occurred, causing your error routes to be invoked. - **Configure response interception from Caddyfile.** The reverse_proxy is capable of intercepting responses from the backend, and [now this is exposed in the Caddyfile with `handle_response`](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#intercepting-responses). - **Better `caddy list-modules` output.** Now modules are organized by standard and non-standard modules, so you can easily see if a Caddy build has been customized. - **Configure logging from Caddyfile.** The process logs can now be [configured from the global options](https://caddyserver.com/docs/caddyfile/options#log) of the Caddyfile. - **Better content negotiation.** [The file server can now be configured](https://caddyserver.com/docs/modules/http.handlers.file_server#precompressed) to serve precompressed sidecar files, and content encoding preferences are better configured and honored. - **Dark mode in directory listings.** The file server's "browse" file listings now has a dark mode. - **:warning: Removed the `logfmt` log encoder.** It was broken anyways, and its deprecation has been warned in previous releases. - **:warning: Deprecated `common_log` format.** It will be removed in a future release. Issue #4148 - **:warning: Deprecated `health_path` in `reverse_proxy` directive.** It has been replaced with `health_uri` and will be removed in the future. - **Numerous bug fixes and improvements.** Thanks for the detailed, helpful bug reports! We appreciate your collaboration in making Caddy better. ## New content for sponsors I've started writing high-quality, in-depth chatpers about how to get the most out of Caddy in my new [Expert Caddy](https://matt.life/expert-caddy) series, exclusively for sponsors! If you or your company are sponsoring, you can have access to this content, which I'll continue adding to over time. If you aren't sponsoring yet, [please do so](https://github.com/sponsors/mholt)! Sponsorships fund my full-time development of Caddy, and that's especially vital if your business relies on Caddy. ## Changelog (since RC 1) For a detailed list of all commits since v2.3.0, please refer to prior pre-release changelogs. bc221024 caddyfile: Fix `caddy fmt` nesting not decrementing (#4157) d4b2f1bc caddyhttp: Fix fallback for the error handler chain (#4131) 61642b76 caddytls: Run replacer on ask URL, for env vars (#4154) 77764714 encode: Default to order the formats are enabled for `prefer` in Caddyfile (#4151) f5db41ce encode: Drop `prefer` from Caddyfile (#4156) 74f5d66c fileserver: Fix `file` matcher with empty `try_files` (#4147) 3cf443f0 httpcaddyfile: Add `grace_period` global option (#4152) a17c3b56 reverseproxy: Minor logging improvements

caddy v2.4.1

2021-05-20T01:24:28+00:00

A small patch release that contains a few noncritical but pleasant fixes (unless you're using `/id/` endpoints in the admin API; then you should definitely get this update). ## Changelog 7f26a6b3 admin: Reinstate internal redirect for /id/ requests b82db994 caddyfile: Add parse error on site address with trailing `{` (#4163) 2aefe156 cmd: upgrade: inherit the permissions of the original executable (#4160) dbe164d9 httpcaddyfile: Fix automation policy consolidation again (fix #4161) e3c369d4 logging: Implement dial timeout for net writer (fix #4083) (#4172) aef8d4de reverseproxy: Set the headers in the replacer before `handle_response` (#4165)

caddy v2.4.2

2021-06-12T21:21:11+00:00

A few enhancements and bug fixes. Thanks to all who contributed to this release! ## Changelog 323ffd20 admin: Replace admin cert cache when reloading (fix #4184) 4c2da188 caddytls: Add Caddyfile support for `propagation_timeout` (#4178) 76913b19 fileserver: Fix browse not redirecting query parameters (#4196) f9b54454 fileserver: Redirect within the original URL (#4179) ecd5eeab go.mod: Update direct dependencies 89aa3a5e go.mod: Use CertMagic v0.14.0 (fix #4191) 1e92258d httpcaddyfile: Add `preferred_chains` global option and issuer subdirective (#4192) 658772ff httpcaddyfile: Add `skip_install_trust` global option (#4153) 05656a60 httpcaddyfile: Don't add HTTP hosts to TLS APs (fix #4176 and fix #4198) 94b71200 logging: Actually use `level_key` (#4189) 7b500e74 metrics: use buildinfo collector from new collectors pkg (#4187) 2a810946 reverseproxy: Always remove hop-by-hop headers

caddy v2.4.3

2021-06-17T20:02:23+00:00

Guess what: this is our 100th release! :tada: :partying_face: :confetti_ball: A bug fix for the bug fix, and a couple other bug fixes, including one security fix for PHP sites. We think all users should upgrade after giving it a whirl in their test environments. Please note some changes in this patch: - :warning: **In `reverse_proxy`, the `max_idle_conns_per_host` option has been removed (both Caddyfile and JSON).** This may be a breaking change for a few of you, but it only breaks configs that relied on a bug. Instead of silently failing, you will get an error if you continue using the property. For Caddyfile, we basically renamed the property to `keepalive_idle_conns_per_host`. In JSON, we simply removed the property, and you should instead set `keep_alive/max_idle_conns_per_host` if you weren't already. Previously, the Caddyfile subdirective set both MaxConnsPerHost and MaxIdleConnsPerHost, which was confusing; and the JSON properties overwrote each other, so one was removed. Issue #4201. - **:shield: Security patch** in the FastCGI transport that now sanitizes paths against directory traversal outside the site root. PR #4207. - **:bug: Fix canonicalization redirects in `file_server`.** v2.4.2 introduced a bugfix (#4179) for these redirects when used inside `handle_path` (i.e. rewriting the path by stripping a prefix), but caused a regression for many other use cases. This release includes a proper fix for all known, tested cases. Basically: these redirects are not issued if the filename of a path was rewritten internally. Issue #4205. ## Changelog 9d4ed3a3 caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207) e8ae80ad fileserver: Don't persist parsed template (fix #4202) fbd65609 fileserver: Only redirect if filename not rewritten (fix #4205) 32c284b5 reverseproxy: Adjust test related to #4201 7c68809f reverseproxy: Fix overwriting of max_idle_conns_per_host (closes #4201)

caddy v2.4.4

2021-08-30T23:10:42+00:00

This release contains numerous bug fixes, updated dependencies, and QoL improvements. Thanks to all contributors, and a special thanks to @francislavoie and @Mohammed90 for their dedication in helping to maintain the project and help others. ## Changelog 0bdb8aa8 acmeserver: Don't set host for directory links by default 2de7e14e acmeserver: Trim slashes from path prefix c131339c admin: Implement load_interval to pull config on a timer (#4246) a10910f3 admin: Sync server variables (fix #4260) (#4274) 51f125bd caddyfile: Better error message for missing site block braces (#4301) d74913f8 caddyfile: Error on invalid site addresses containing comma (#4302) b6f51254 caddyfile: keep error chain info in Dispenser.Errf (#4233) 1c6c7714 caddyhttp: Fix edgecase with auto HTTP->HTTPS logic (#4243) 42e140b1 caddyhttp: Fix incorrect determination of gRPC protocol (#4236) c1cd192e caddyhttp: Updated the documentation for MatchQuery (#4295) 81e53180 caddytls: Remove "IssuerRaw" field ce5a45db cmd: Fix paths when using an env file (#4296) 68c5c716 cmd: New `add-package` and `remove-package` commands (#4226) 9e333c39 cmd: use net.ErrClosed for matching returned error (#4289) 1b1e625c core: Unix ns and Unix ms time placeholders (#4280) 69c91448 encode: Tweak compression settings (#4215) 4245ceb6 fileserver: Add `disable_canonical_uris` Caddyfile subdirective (#4222) 191dc86f fileserver: Clarify docs about canonicalization 9e16e80f fileserver: Fix browse name_dir_first sorting (#4218) 885a9aaf go.mod: Update dependencies (close #4216) f43fd6f3 go.mod: Upgrade CertMagic to v0.14.4 84b906a2 go.mod: Upgrade some dependencies ab32440b httpcaddyfile: Add shortcut for proxy hostport placeholder (#4263) b3d35a49 httpcaddyfile: Don't put localhost in public APs (fix #4220) 569ecdbd httpcaddyfile: Ensure hosts to skip for logs can always be collected (#4258) bfbc459c httpcaddyfile: Improve unrecognized directive errors 403732c4 httpcaddyfile: Reorder some directives (#4311) 46d99aba logging: Add missing interface guards for replace filter (#4244) 124ba1ba logging: Prep for `common_log` removal (#4149) 8a974a4f logging: Warn for deprecated single_field encoder e6c29ce0 reverseproxy: Incorporate latest proxy changes from stdlib (#4266) d8822110 reverseproxy: Keep path to unix socket as dial address (#4232) f70a7578 reverseproxy: Remove redundant flushing (#4299)

caddy v2.4.5

2021-09-03T18:54:23+00:00

A hotfix for a regression introduced in v2.4.4 related to combining the `encode` and `reverse_proxy` directives. ## Changelog 9f6393c6 cmd: export CaddyVersion(), Commands() (#4316) 4ebf100f encode: ignore flushing until after first write (#4318) 46ab93be go.mod: Update CertMagic

caddy v2.4.6

2021-11-08T21:47:28+00:00

This release contains bug fixes and minor enhancements, including [one patch](https://github.com/caddyserver/caddy/pull/4407) with potential security implications related to path matching. Notable patches: - Path matchers unescape/clean URI paths to normalize match space - Fix regex matching in `map` handler Notable enhancements: - `try_files` can now accept `=nnn` (e.g. `=404`) to yield a status code instead of a file. - Template actions `httpError` (stop eval and return HTTP error) and `import` (like `include` but changes template context) were added - New placeholder `{http.request.tls.client.certificate_der_base64}` ## Changelog 749e55c7 caddycmd: Add `--keep-backup` to upgrade commands (#4387) 062657d0 caddycmd: Add `--skip-standard` to `list-modules` command, quieter output (#4386) be5f77e8 caddycmd: fix caddy validate/fmt help message (#4377) 907e2d8d caddyhttp: Add support for triggering errors from `try_files` (#4346) cbb045a1 caddyhttp: Placeholder for client cert in DER + base64 format (#4241) e7457b43 caddyhttp: Sanitize the path before evaluating path matchers (#4407) 837cdc56 caddyhttp: reverseproxy: clarify warning for -insecure (#4379) 24fda751 caddytls: Mark storage clean timestamp at end of routine (#4401) a779e1b3 fastcgi: Fix Caddyfile parsing when `handle_response` is used (#4342) 3f2c3ecf fastcgi: Implement `try_files` override in Caddyfile directive (#4347) 64f8b557 fileserver: Fix compression breaks using httpInclude (#4352) (#4358) d3a02599 fileserver: Fix displayed file size if it is symlink (#4354) 0a5f7a67 fileserver: Make file listing links purple once visited (#4356) a21d5a00 fileserver: Prevent focusing filter from scrolling on page load (#4393) 33c70f41 fileserver: properly handle escaped/non-ascii paths (#4332) c4790d7f go.mod: Carefully upgrade some dependencies (fix #4251) 997e41de go.mod: Replace promptui with Apache-compatible fork (fix #4394) f376a38b go.mod: Update ACMEz and CertMagic a4372066 headers: Canonicalize case in replace (fix #4330) 012d2353 httpcaddyfile: Empty tls policy for internal http localhost (#4398) 0ffb2229 httpcaddyfile: Preserve IPv6 addresses through normalization (fix #4381) a2119c09 map: Fix 95c03506 (avoid repeated expansions) 95c03506 map: Fix regex mappings 3336faf2 reverseproxy: Log error at error level (fix #4360) b0920615 reverseproxy: Prevent copying the response if a response handler ran (#4388) f73f55db reverseproxy: Sanitize scheme and host on incoming requests (#4237) 5fda9610 templates: Add 'import' action (#4321) 16f75212 templates: Add tests for funcInclude and funcImport (#4357) 2392478b templates: Propagate httpError to HTTP response

caddy v2.5.0-beta.1

2022-03-09T22:29:20+00:00

Caddy 2.5 introduces new features you'll love as well as a huge number of bug fixes and enhancements. Thank you to everyone who contributed. **:warning: This is a beta version. Please try it out! It needs to be used and tested for regressions. Let us know if there are any issues.** Documentation on the website will be [updated soon](https://github.com/caddyserver/website/pull/216). Feel free to ask on the [forum](https://caddy.community) if you have any questions or feedback! ## Highlights - **Reverse proxy:** [:sparkles: _Dynamic upstreams_](https://github.com/caddyserver/caddy/pull/4470), which is the ability to get the list of upstreams at every request (more specifically, every iteration in the proxy loop of every request) rather than just once at config-load time. Dynamic upstream modules can be plugged in to provide Caddy with the latest list of backends in real-time. Two standard modules have been implemented which can get upstreams from SRV and A/AAAA record lookups. - :warning: This deprecates the `lookup_srv` JSON field for upstreams (and `srv+` scheme prefix in the Caddyfile), which will be removed in the future. - **Automatic HTTPS:** Caddy will automatically try to get relevant certificates from the local [Tailscale](https://tailscale.com) instance (if running with permission to access the Tailscale socket). This makes services running on a Tailscale network [automatically available](https://github.com/caddyserver/caddy/pull/4541) over trusted HTTPS with Caddy. - **Tracing:** New [OpenTelemetry](https://opentelemetry.io/) integration with the [`tracing` handler module and associated `tracing` directive](https://github.com/caddyserver/caddy/pull/4361). - **Reverse proxy:** When using the response handlers, a new handler `copy_response` is available to copy the proxy's response back to the client, and `copy_response_headers` may be used to selectively copy header values from the proxy's response. - **API:** Added new endpoints `/pki/ca/` and `/pki/ca//certificates` for getting information about Caddy's managed CAs, including the chain of root and intermediate certificates. ## Notable - **Reverse proxy:** The `X-Forwarded-Host` header will now be automatically set, along with `X-Forwarded-For` and `X-Forwarded-Proto`. - :warning: **Reverse proxy:** Incoming `X-Forwarded-*` headers will no longer be automatically trusted, to prevent spoofing. Now, `trusted_proxies` must be configured to specify a list of downstream proxies which are trusted to have sent good values. You only need to configure trusted proxies if Caddy is not the first server being connected to. For example, if you have Cloudflare in front of Caddy, then you should configure this with Cloudflare's [list of IP ranges](https://www.cloudflare.com/en-ca/ips/). - **Automatic HTTPS:** Revoked certificates will be automatically [replaced more reliably](https://github.com/caddyserver/certmagic/pull/166). - **Automatic HTTPS:** [Can now get certificates from _Managers_.](https://github.com/caddyserver/caddy/pull/4541) As opposed to _Issuers_ (such as the default ACME issuers) which give Caddy certificates to manage from a CSR, Managers give Caddy certificates to serve (rather than manage) during TLS handshakes. - **Automatic HTTPS:** A DNS challenge [domain override](https://github.com/caddyserver/caddy/issues/4071) can be configured to delegate the solving of the challenge to a different domain. - **Reverse proxy:** The default dial timeout for the HTTP transport [has been adjusted](https://github.com/caddyserver/caddy/pull/4436) down to `3s` (was `10s`), which should allow for more easily configuring load balancing retries. - **Logging:** HTTP access logs will now [render empty values](https://github.com/caddyserver/caddy/commit/7d5047c1f190421528695e1cc3a4ad71c97eb022) for often-sensitive HTTP headers such as Cookie, Authorization, and Proxy-Authorization. Logging such credentials is now [opt-in](https://github.com/caddyserver/caddy/commit/5bf0adad8748e96e10529d5fc5777afc9236a7b5) with the `log_credentials` global option in the Caddyfile, or the server's `logs > should_log_credentials` field in JSON. - **Logging:** Logs can now be filtered by [query string parameters](https://github.com/caddyserver/caddy/commit/bcac2beee7e419f8cdab2ed16f388d1af282a46b), [cookie values](https://github.com/caddyserver/caddy/commit/8887adb027982e844965b4707b8595cee5845d54), and [regular expressions](https://github.com/caddyserver/caddy/commit/789efa5deef53071b57479d37e4022bf372c4eef); and log values can be [hashed](https://github.com/caddyserver/caddy/commit/a1b417c832b4ab3dab9eaa9690e1d07672a949b8). These features are useful for redacting sensitive information. - **Logging:** Errors during request handling [will now be logged at `DEBUG` level](https://github.com/caddyserver/caddy/pull/4429) if the error was [handled via `errors` routes](https://github.com/caddyserver/caddy/pull/4584) (`handle_errors` in Caddyfile). - :warning: **Logging:** Removed the [deprecated](https://github.com/caddyserver/caddy/issues/4148) `common_log` field from HTTP access logs, and the `single_field` encoder. If you relied on this, you may use the [format encoder plugin](https://github.com/caddyserver/format-encoder) to encode logs in Common Log format. - :warning: **Logging:** The `remote_addr` field [has been replaced](https://github.com/caddyserver/caddy/commit/f55b123d63132e290789bcd07077375c76b6e1dd) by `remote_ip` and `remote_port` fields in HTTP access logs, which split up the two parts of the remote address. This improves ease of use for some tooling which only expect an IP address, without a port. - **HTTP server:** The [`vars` matcher](https://github.com/caddyserver/caddy/commit/ecac03cdcb6cceae743aac16faca7f32e5da1607) can now match on multiple possible values. - **HTTP server:** Requests [can now be assigned](https://github.com/caddyserver/caddy/commit/180ae0cc4843ecc3c7ddcb6e978ebfd474ed07f9) a random and unique UUID from the new `{http.request.uuid}` placeholder. - **HTTP server:** [New `http_redirect` listener wrapper](https://github.com/caddyserver/caddy/pull/4585) which can be used to redirect HTTP requests that come in on a server listening for HTTPS requests to be redirected to `https://`. - **Caddyfile:** [New `default_bind` global option](https://github.com/caddyserver/caddy/pull/4531) lets you specify the default interface all sockets should bind to. - **Caddyfile:** [New `pki` global option](https://github.com/caddyserver/caddy/pull/4450) lets you configure the properties of the internal CAs managed by Caddy. - **Caddyfile:** [New `method` directive](https://github.com/caddyserver/caddy/pull/4528) allows rewriting the request method via Caddyfile. - :warning: **Caddyfile:** The `reverse_proxy` directive's `handle_response` subdirective has had its status replacement functionality [moved to a new `replace_status`](https://github.com/caddyserver/caddy/pull/4300) subdirective. This makes sure that the functionality of `handle_response` is not overloaded, and usage is clearer. - :warning: **Admin:** [Renamed](https://github.com/caddyserver/caddy/commit/bc447e307f195b80eeec0f6157e0d8e641af9155) experimental property `load_interval` :arrow_right: `load_delay` for clarification, and improved dynamic config loading. --- :shield: Thanks to [David Leadbeater](https://github.com/dgl) for reporting a security vulnerability related to HTTP methods and metrics cardinality, which was fixed in this release. ## New Contributors * @adamburgess made their first contribution in https://github.com/caddyserver/caddy/pull/4460 * @12f23eddde made their first contribution in https://github.com/caddyserver/caddy/pull/4444 * @rayjlinden made their first contribution in https://github.com/caddyserver/caddy/pull/4023 * @GallopingKylin made their first contribution in https://github.com/caddyserver/caddy/pull/4522 * @ForestJohnson made their first contribution in https://github.com/caddyserver/caddy/pull/4534 * @VojtechVitek made their first contribution in https://github.com/caddyserver/caddy/pull/4535 * @Ikke made their first contribution in https://github.com/caddyserver/caddy/pull/4544 * @YourTechBud made their first contribution in https://github.com/caddyserver/caddy/pull/4603 * @BitWuehler made their first contribution in https://github.com/caddyserver/caddy/pull/4597 * @ttys3 made their first contribution in https://github.com/caddyserver/caddy/pull/4572 * @crccw made their first contribution in https://github.com/caddyserver/caddy/pull/4596 * @andriikushch made their first contribution in https://github.com/caddyserver/caddy/pull/4361 ## Changelog * 2e46c2ac admin, reverseproxy: Stop timers if canceled to avoid goroutine leak (#4482) * 40b54434 admin: Enforce and refactor origin checking * b4bfa29b admin: Require identity for remote (fix #4478) * 32aad909 admin: Write proper status on invalid requests (#4569) (fix #4561) * ff137d17 caddyconfig: Support placeholders in HTTP loader * b47af6ef caddyfile: Copy input before parsing (fix #4422) * e90d7517 caddyfile: impove fmt warning message (#4444) * 5e5af50e caddyfile: make renew_interval option configurable (#4451) * ddbb234d caddyhttp: Always log handled errors at debug level (#4584) * 6b385a36 caddyhttp: Don't attempt to manage Tailscale certs * ecac03cd caddyhttp: Enhance vars matcher (#4433) * 6e6ce2be caddyhttp: Fix HTTP->HTTPS redir not preferring HTTPS port if ambiguous (#4530) * 3fe2c73d caddyhttp: Fix `MatchPath` sanitizing (#4499) * 44e5e9e4 caddyhttp: Fix test when /tmp/etc already exists (#4544) * 2bb8550a caddyhttp: Honor wildcard hosts in log SkipHosts (#4606) * 180ae0cc caddyhttp: Implement http.request.uuid placeholder (#4285) * 7d5047c1 caddyhttp: Log empty value for typical password headers * eead3373 caddyhttp: Log non-500 handler errors at debug level (#4429) * 5bf0adad caddyhttp: Make logging of credential headers opt-in (#4438) * 186fdba9 caddyhttp: Move HTTP redirect listener to an optional module (#4585) * 80d7a356 caddyhttp: Redirect HTTP requests on the HTTPS port to https:// (#4313) * bf380d00 caddyhttp: Reject absurd methods (#4538) * 850e1605 caddyhttp: Return HTTP 421 for mismatched Host header (#4023) * f55b123d caddyhttp: Split up logged remote address into IP and port (#4403) * ac14b64e caddyhttp: Support zone identifiers in remote_ip matcher (#4597) * a1c41210 caddypki: Minor tweak, don't use context pointer * 78e381b2 caddypki: Refactor /pki/ admin endpoints * c634bbe9 caddypki: Return error if no PEM data found * 9b7cdfa2 caddypki: Try to fix lint warnings * a79b4055 caddytls: Add internal Caddyfile `lifetime`, `sign_with_root` opts (#4513) * 66de438a caddytls: Fix `MatchRemoteIP` provisoning with multiple CIDR ranges (#4522) * 57a708d1 caddytls: Support external certificate Managers (like Tailscale) (#4541) * d9b1d463 caddytls: dns_challenge_override_domain for challenge delegation (#4596) * 1a7a78a1 cmd: Print error if fmt overwrite fails (fix #4524) * bc447e30 core: Config LoadInterval -> LoadDelay for clarity * 7ea5b2a8 core: Config load interval only reloads if changed (#4603) * 7f364c77 core: Load config at interval instead of just once * a72acd21 core: Retry dynamic config load if config unchanged * ceef70db core: Retry dynamic config load if error or no-op (#4603) * acbee947 core: Revert 7f364c7; simplify dynamic config load * 64a3218f core: Simplify shared listeners, fix deadline bug * 8e5aafa5 fastcgi: Fix a TODO, prevent zap using reflection for logging env (#4437) * c8f2834b fastcgi: Protect against requests with null bytes in the path (#4614) * de490c7c fastcgi: Set SERVER_PORT to 80 or 443 depending on scheme (#4572) * 09ba9e99 fileserver: Add `pass_thru` Caddyfile option (#4613) * 15c95e9d fileserver: Canonical redir when whole path is stripped (#4549) * c8b5a816 fileserver: Fix handling of symlink sizes in directory listings (#4415) * e81369e2 fileserver: Move default browse template into a separate file (#4417) * 1e10f6f7 fileserver: browse: do not encode the paths in breadcrumbs and page title (#4410) * 78b5356f fileserver: do not double-escape paths (#4447) * 0de51593 go.mod: Revert version bump of CEL (#4587) * 6f9b6ad7 go.mod: Update smallstep/certificates, no longer need replace (#4475) * 4906b935 go.mod: Update smallstep/truststore, fix build on FreeBSD (#4473) * c1331534 go.mod: Update to latest smallstep/truststore, support FreeBSD (#4453) * ff74a0aa go.mod: Upgrade dependencies * e9dde230 headers: Fix `+` in Caddyfile to properly append rather than set (#4506) * 1b7ff5d7 httpcaddyfile: Add `default_bind` global option (#4531) * 5a071568 httpcaddyfile: Add pki app `root` and `intermediate` cert/key config (#4514) * 26d633ba httpcaddyfile: Disabling OCSP stapling for both managed and unmanaged (#4589) * 93a7a45e httpcaddyfile: Fix incorrect handling of IPv6 bind addresses (#4532) * 81ee34e9 httpcaddyfile: Fix sorting edgecase for nested `handle_path` (#4477) * 4b9849c7 httpcaddyfile: Support configuring `pki` app names via global options (#4450) * 5bd96a6a httpcaddyfile: Support explicitly turning off `strict_sni_host` (#4592) * c921e082 logging: Add `roll_local_time` Caddyfile option (#4583) * 0eb0b60f logging: Remove common_log field and single_field encoder (#4149) (#4282) * 249adc1c logging: Support turning off roll compression via Caddyfile (#4505) * 8887adb0 logging: add a filter for cookies (#4425) * bcac2bee logging: add a filter for query parameters (#4424) * 789efa5d logging: add a regexp filter (#4426) * a1b417c8 logging: add support for hashing data (#4434) * eb891d46 metrics: Enforce smaller set of method labels * c04d24ca pki: Avoid provisioning the `local` CA when not necessary (#4463) * bbad6931 pki: Implement API endpoints for certs and `caddy trust` (#4443) * 9ee68c1b reverseproxy: Adjust defaults, document defaults (#4436) * 7557d1d9 reverseproxy: Avoid returning a `nil` error during GetClientCertificate (#4550) * ab045592 reverseproxy: Dynamic upstreams (with SRV and A/AAAA support) (#4470) * 5333c352 reverseproxy: Fix incorrect `health_headers` Caddyfile parsing (#4485) * c50094fc reverseproxy: Implement trusted proxies for `X-Forwarded-*` headers (#4507) * f5e10494 reverseproxy: Make shallow-ish clone of the request (#4551) * 87a1f228 reverseproxy: Move status replacement intercept to `replace_status` (#4300) * d058dee1 reverseproxy: Refactor dial address parsing, augment command parsing (#4616) * c7d6c4cb reverseproxy: copy_response and copy_response_headers for handle_response routes (#4391) * bcb7a19c rewrite: Add `method` Caddyfile directive (#4528) * 1feb6595 rewrite: Fix a double-encode issue when using the `{uri}` placeholder (#4516) * 6cadb60f templates: Document .OriginalReq * 1d0425b2 templates: Elaborate on what's supported by the markdown function (#4564) * a6199cf8 templates: Fix docs for .Args * ec14ccdd templates: fix inconsistent nested includes (#4452) * d0b608af tracing: New OpenTelemetry module (#4361) **Full Changelog**: https://github.com/caddyserver/caddy/compare/v2.4.6...v2.5.0-beta.1

caddy v2.5.0-rc.1

2022-04-13T18:56:51+00:00

Caddy 2.5 introduces new features you'll love as well as a huge number of bug fixes and enhancements. Thank you to everyone who contributed. **:warning: This is a release candidate version. We think it's stable enough to use in production, but we want to be extra sure, so please try it out! It needs to be used and tested for regressions. Let us know if there are any issues.** Documentation on the website has mostly been updated (JSON docs will be last). Feel free to ask on the [forum](https://caddy.community) if you have any questions or feedback! ## Highlights - **Reverse proxy:** [:sparkles: _Dynamic upstreams_](https://github.com/caddyserver/caddy/pull/4470), which is the ability to get the list of upstreams at every request (more specifically, every iteration in the proxy loop of every request) rather than just once at config-load time. Dynamic upstream modules can be plugged in to provide Caddy with the latest list of backends in real-time. Two standard modules have been implemented which can get upstreams from SRV and A/AAAA record lookups. - :warning: This deprecates the `lookup_srv` JSON field for upstreams (and `srv+` scheme prefix in the Caddyfile), which will be removed in the future. - **Automatic HTTPS:** Caddy will automatically try to get relevant certificates from the local [Tailscale](https://tailscale.com) instance (if running with permission to access the Tailscale socket). This makes services running on a Tailscale network [automatically available](https://github.com/caddyserver/caddy/pull/4541) over trusted HTTPS with Caddy. - **Tracing:** New [OpenTelemetry](https://opentelemetry.io/) integration with the [`tracing` handler module and associated `tracing` directive](https://github.com/caddyserver/caddy/pull/4361). - **Reverse proxy:** When using the response handlers, a new handler `copy_response` is available to copy the proxy's response back to the client, and `copy_response_headers` may be used to selectively copy header values from the proxy's response. - **API:** Added new endpoints `/pki/ca/` and `/pki/ca//certificates` for getting information about Caddy's managed CAs, including the chain of root and intermediate certificates. ## Notable - **Reverse proxy:** The `X-Forwarded-Host` header will now be automatically set, along with `X-Forwarded-For` and `X-Forwarded-Proto`. - :warning: **Reverse proxy:** Incoming `X-Forwarded-*` headers will no longer be automatically trusted, to prevent spoofing. Now, `trusted_proxies` must be configured to specify a list of downstream proxies which are trusted to have sent good values. You only need to configure trusted proxies if Caddy is not the first server being connected to. For example, if you have Cloudflare in front of Caddy, then you should configure this with Cloudflare's [list of IP ranges](https://www.cloudflare.com/en-ca/ips/). - **Automatic HTTPS:** Revoked certificates will be automatically [replaced more reliably](https://github.com/caddyserver/certmagic/pull/166). - **Automatic HTTPS:** [Can now get certificates from _Managers_.](https://github.com/caddyserver/caddy/pull/4541) As opposed to _Issuers_ (such as the default ACME issuers) which give Caddy certificates to manage from a CSR, Managers give Caddy certificates to serve (rather than manage) during TLS handshakes. - **Automatic HTTPS:** A DNS challenge [domain override](https://github.com/caddyserver/caddy/issues/4071) can be configured to delegate the solving of the challenge to a different domain. - **Reverse proxy:** The default dial timeout for the HTTP transport [has been adjusted](https://github.com/caddyserver/caddy/pull/4436) down to `3s` (was `10s`), which should allow for more easily configuring load balancing retries. - **Logging:** HTTP access logs will now [render empty values](https://github.com/caddyserver/caddy/commit/7d5047c1f190421528695e1cc3a4ad71c97eb022) for often-sensitive HTTP headers such as Cookie, Authorization, and Proxy-Authorization. Logging such credentials is now [opt-in](https://github.com/caddyserver/caddy/commit/5bf0adad8748e96e10529d5fc5777afc9236a7b5) with the `log_credentials` global option in the Caddyfile, or the server's `logs > should_log_credentials` field in JSON. - **Logging:** Logs can now be filtered by [query string parameters](https://github.com/caddyserver/caddy/commit/bcac2beee7e419f8cdab2ed16f388d1af282a46b), [cookie values](https://github.com/caddyserver/caddy/commit/8887adb027982e844965b4707b8595cee5845d54), and [regular expressions](https://github.com/caddyserver/caddy/commit/789efa5deef53071b57479d37e4022bf372c4eef); and log values can be [hashed](https://github.com/caddyserver/caddy/commit/a1b417c832b4ab3dab9eaa9690e1d07672a949b8). These features are useful for redacting sensitive information. - **Logging:** Errors during request handling [will now be logged at `DEBUG` level](https://github.com/caddyserver/caddy/pull/4429) if the error was [handled via `errors` routes](https://github.com/caddyserver/caddy/pull/4584) (`handle_errors` in Caddyfile). - :warning: **Logging:** Removed the [deprecated](https://github.com/caddyserver/caddy/issues/4148) `common_log` field from HTTP access logs, and the `single_field` encoder. If you relied on this, you may use the [transform encoder plugin](https://github.com/caddyserver/transform-encoder) to encode logs in Common Log format. - :warning: **Logging:** The `remote_addr` field [has been replaced](https://github.com/caddyserver/caddy/commit/f55b123d63132e290789bcd07077375c76b6e1dd) by `remote_ip` and `remote_port` fields in HTTP access logs, which split up the two parts of the remote address. This improves ease of use for some tooling which only expect an IP address, without a port. - **HTTP server:** The [`vars` matcher](https://github.com/caddyserver/caddy/commit/ecac03cdcb6cceae743aac16faca7f32e5da1607) can now match on multiple possible values. - **HTTP server:** Requests [can now be assigned](https://github.com/caddyserver/caddy/commit/180ae0cc4843ecc3c7ddcb6e978ebfd474ed07f9) a random and unique UUID from the new `{http.request.uuid}` placeholder. - **HTTP server:** [New `http_redirect` listener wrapper](https://github.com/caddyserver/caddy/pull/4585) which can be used to redirect HTTP requests that come in on a server listening for HTTPS requests to be redirected to `https://`. - **Caddyfile:** [New `default_bind` global option](https://github.com/caddyserver/caddy/pull/4531) lets you specify the default interface all sockets should bind to. - **Caddyfile:** [New `pki` global option](https://github.com/caddyserver/caddy/pull/4450) lets you configure the properties of the internal CAs managed by Caddy. - **Caddyfile:** [New `method` directive](https://github.com/caddyserver/caddy/pull/4528) allows rewriting the request method via Caddyfile. - :warning: **Caddyfile:** The `reverse_proxy` directive's `handle_response` subdirective has had its status replacement functionality [moved to a new `replace_status`](https://github.com/caddyserver/caddy/pull/4300) subdirective. This makes sure that the functionality of `handle_response` is not overloaded, and usage is clearer. - :warning: **Admin:** [Renamed](https://github.com/caddyserver/caddy/commit/bc447e307f195b80eeec0f6157e0d8e641af9155) experimental property `load_interval` :arrow_right: `load_delay` for clarification, and improved dynamic config loading. --- :shield: Thanks to [David Leadbeater](https://github.com/dgl) for reporting a security vulnerability related to HTTP methods and metrics cardinality, which was fixed in this release. ## New Contributors * @adamburgess made their first contribution in https://github.com/caddyserver/caddy/pull/4460 * @12f23eddde made their first contribution in https://github.com/caddyserver/caddy/pull/4444 * @rayjlinden made their first contribution in https://github.com/caddyserver/caddy/pull/4023 * @GallopingKylin made their first contribution in https://github.com/caddyserver/caddy/pull/4522 * @ForestJohnson made their first contribution in https://github.com/caddyserver/caddy/pull/4534 * @VojtechVitek made their first contribution in https://github.com/caddyserver/caddy/pull/4535 * @Ikke made their first contribution in https://github.com/caddyserver/caddy/pull/4544 * @YourTechBud made their first contribution in https://github.com/caddyserver/caddy/pull/4603 * @BitWuehler made their first contribution in https://github.com/caddyserver/caddy/pull/4597 * @ttys3 made their first contribution in https://github.com/caddyserver/caddy/pull/4572 * @crccw made their first contribution in https://github.com/caddyserver/caddy/pull/4596 * @andriikushch made their first contribution in https://github.com/caddyserver/caddy/pull/4361 * @renbou made their first contribution in https://github.com/caddyserver/caddy/pull/4654 * @cuishuang made their first contribution in https://github.com/caddyserver/caddy/pull/4702 ## Changelog * 2e46c2ac admin, reverseproxy: Stop timers if canceled to avoid goroutine leak (#4482) * 40b54434 admin: Enforce and refactor origin checking * b4bfa29b admin: Require identity for remote (fix #4478) * 32aad909 admin: Write proper status on invalid requests (#4569) (fix #4561) * ff137d17 caddyconfig: Support placeholders in HTTP loader * b47af6ef caddyfile: Copy input before parsing (fix #4422) * e90d7517 caddyfile: impove fmt warning message (#4444) * 5e5af50e caddyfile: make renew_interval option configurable (#4451) * ddbb234d caddyhttp: Always log handled errors at debug level (#4584) * 6b385a36 caddyhttp: Don't attempt to manage Tailscale certs * ecac03cd caddyhttp: Enhance vars matcher (#4433) * 6e6ce2be caddyhttp: Fix HTTP->HTTPS redir not preferring HTTPS port if ambiguous (#4530) * 3fe2c73d caddyhttp: Fix `MatchPath` sanitizing (#4499) * 44e5e9e4 caddyhttp: Fix test when /tmp/etc already exists (#4544) * 2bb8550a caddyhttp: Honor wildcard hosts in log SkipHosts (#4606) * 180ae0cc caddyhttp: Implement http.request.uuid placeholder (#4285) * 7d5047c1 caddyhttp: Log empty value for typical password headers * eead3373 caddyhttp: Log non-500 handler errors at debug level (#4429) * 5bf0adad caddyhttp: Make logging of credential headers opt-in (#4438) * 186fdba9 caddyhttp: Move HTTP redirect listener to an optional module (#4585) * 80d7a356 caddyhttp: Redirect HTTP requests on the HTTPS port to https:// (#4313) * bf380d00 caddyhttp: Reject absurd methods (#4538) * 850e1605 caddyhttp: Return HTTP 421 for mismatched Host header (#4023) * f55b123d caddyhttp: Split up logged remote address into IP and port (#4403) * ac14b64e caddyhttp: Support zone identifiers in remote_ip matcher (#4597) * a1c41210 caddypki: Minor tweak, don't use context pointer * 78e381b2 caddypki: Refactor /pki/ admin endpoints * c634bbe9 caddypki: Return error if no PEM data found * 9b7cdfa2 caddypki: Try to fix lint warnings * a79b4055 caddytls: Add internal Caddyfile `lifetime`, `sign_with_root` opts (#4513) * 66de438a caddytls: Fix `MatchRemoteIP` provisoning with multiple CIDR ranges (#4522) * 57a708d1 caddytls: Support external certificate Managers (like Tailscale) (#4541) * d9b1d463 caddytls: dns_challenge_override_domain for challenge delegation (#4596) * 1a7a78a1 cmd: Print error if fmt overwrite fails (fix #4524) * bc447e30 core: Config LoadInterval -> LoadDelay for clarity * 7ea5b2a8 core: Config load interval only reloads if changed (#4603) * 7f364c77 core: Load config at interval instead of just once * a72acd21 core: Retry dynamic config load if config unchanged * ceef70db core: Retry dynamic config load if error or no-op (#4603) * acbee947 core: Revert 7f364c7; simplify dynamic config load * 64a3218f core: Simplify shared listeners, fix deadline bug * 8e5aafa5 fastcgi: Fix a TODO, prevent zap using reflection for logging env (#4437) * c8f2834b fastcgi: Protect against requests with null bytes in the path (#4614) * de490c7c fastcgi: Set SERVER_PORT to 80 or 443 depending on scheme (#4572) * 09ba9e99 fileserver: Add `pass_thru` Caddyfile option (#4613) * 15c95e9d fileserver: Canonical redir when whole path is stripped (#4549) * c8b5a816 fileserver: Fix handling of symlink sizes in directory listings (#4415) * e81369e2 fileserver: Move default browse template into a separate file (#4417) * 1e10f6f7 fileserver: browse: do not encode the paths in breadcrumbs and page title (#4410) * 78b5356f fileserver: do not double-escape paths (#4447) * 0de51593 go.mod: Revert version bump of CEL (#4587) * 6f9b6ad7 go.mod: Update smallstep/certificates, no longer need replace (#4475) * 4906b935 go.mod: Update smallstep/truststore, fix build on FreeBSD (#4473) * c1331534 go.mod: Update to latest smallstep/truststore, support FreeBSD (#4453) * ff74a0aa go.mod: Upgrade dependencies * e9dde230 headers: Fix `+` in Caddyfile to properly append rather than set (#4506) * 1b7ff5d7 httpcaddyfile: Add `default_bind` global option (#4531) * 5a071568 httpcaddyfile: Add pki app `root` and `intermediate` cert/key config (#4514) * 26d633ba httpcaddyfile: Disabling OCSP stapling for both managed and unmanaged (#4589) * 93a7a45e httpcaddyfile: Fix incorrect handling of IPv6 bind addresses (#4532) * 81ee34e9 httpcaddyfile: Fix sorting edgecase for nested `handle_path` (#4477) * 4b9849c7 httpcaddyfile: Support configuring `pki` app names via global options (#4450) * 5bd96a6a httpcaddyfile: Support explicitly turning off `strict_sni_host` (#4592) * c921e082 logging: Add `roll_local_time` Caddyfile option (#4583) * 0eb0b60f logging: Remove common_log field and single_field encoder (#4149) (#4282) * 249adc1c logging: Support turning off roll compression via Caddyfile (#4505) * 8887adb0 logging: add a filter for cookies (#4425) * bcac2bee logging: add a filter for query parameters (#4424) * 789efa5d logging: add a regexp filter (#4426) * a1b417c8 logging: add support for hashing data (#4434) * eb891d46 metrics: Enforce smaller set of method labels * c04d24ca pki: Avoid provisioning the `local` CA when not necessary (#4463) * bbad6931 pki: Implement API endpoints for certs and `caddy trust` (#4443) * 9ee68c1b reverseproxy: Adjust defaults, document defaults (#4436) * 7557d1d9 reverseproxy: Avoid returning a `nil` error during GetClientCertificate (#4550) * ab045592 reverseproxy: Dynamic upstreams (with SRV and A/AAAA support) (#4470) * 5333c352 reverseproxy: Fix incorrect `health_headers` Caddyfile parsing (#4485) * c50094fc reverseproxy: Implement trusted proxies for `X-Forwarded-*` headers (#4507) * f5e10494 reverseproxy: Make shallow-ish clone of the request (#4551) * 87a1f228 reverseproxy: Move status replacement intercept to `replace_status` (#4300) * d058dee1 reverseproxy: Refactor dial address parsing, augment command parsing (#4616) * c7d6c4cb reverseproxy: copy_response and copy_response_headers for handle_response routes (#4391) * bcb7a19c rewrite: Add `method` Caddyfile directive (#4528) * 1feb6595 rewrite: Fix a double-encode issue when using the `{uri}` placeholder (#4516) * 6cadb60f templates: Document .OriginalReq * 1d0425b2 templates: Elaborate on what's supported by the markdown function (#4564) * a6199cf8 templates: Fix docs for .Args * ec14ccdd templates: fix inconsistent nested includes (#4452) * d0b608af tracing: New OpenTelemetry module (#4361) * 134b8056 caddyfile: Prevent bad block opening tokens (#4655) * c5fffb4a caddyfile: Support for raw token values; improve `map`, `expression` (#4643) * b82e22b4 caddyhttp: retain all values of vars matcher when specified multiple times (#4629) * bc15b4b0 caddypki: Load intermediate for signing on-the-fly (#4669) * 6512832f cmd: Add `--diff` option for `caddy fmt` (#4695) * 30b6d1f4 cmd: Enhance .env (dotenv) file parsing * 22d8edb9 cmd: Fix defaulting admin address if empty in config, fixes `reload` (#4674) * c2327161 cmd: Set Origin header properly on API requests * d06d0e79 go.mod: Upgrade CertMagic to v0.16.0 * bf6a1b75 go.mod: Upgrade some dependencies * 79cbe7bf httpcaddyfile: Add 'vars' directive * a58f240d httpcaddyfile: Fix #4640 (auto-HTTPS edgecase) (#4661) * 7d229665 logging: Caddyfile support for `duration_format` (#4684) * 55b4c12e map: Evaluate placeholders in output vals (#4650) * 93c99f67 map: Support numeric and bool types with Caddyfile * 3d616e8c requestbody: Return HTTP 413 (fix #4558) * 3e3bb002 reverseproxy: Add `_ms` placeholders for proxy durations (#4666) * 2196c92c reverseproxy: Don't clear name in SRV upstreams * dc4d1473 reverseproxy: Expand SRV/A addrs for cache key * b8dbecb8 reverseproxy: Include port in A upstreams cache * e4ce40f8 reverseproxy: Sync up `handleUpgradeResponse` with stdlib (#4664) * afca2421 staticfiles: Expand placeholder for index files (#4679) * 00234c8a templates: Switch to `BurntSushi/toml` (#4700) **Full Changelog**: https://github.com/caddyserver/caddy/compare/v2.4.6...v2.5.0-rc.1

caddy v2.5.0

2022-04-25T17:34:35+00:00

Caddy 2.5 introduces new features you'll love as well as a huge number of bug fixes and enhancements. Thank you to everyone who contributed! Feel free to ask on the [forum](https://caddy.community) if you have any questions or feedback. ## Highlights - **Reverse proxy:** [:sparkles: _Dynamic upstreams_](https://github.com/caddyserver/caddy/pull/4470), which is the ability to get the list of upstreams at every request (more specifically, every iteration in the proxy loop of every request) rather than just once at config-load time. Dynamic upstream modules can be plugged in to provide Caddy with the latest list of backends in real-time. Two standard modules have been implemented which can get upstreams from SRV and A/AAAA record lookups. - :warning: This deprecates the `lookup_srv` JSON field for upstreams (and `srv+` scheme prefix in the Caddyfile), which will be removed in the future. - **Automatic HTTPS:** Caddy will automatically try to get relevant certificates from the local [Tailscale](https://tailscale.com) instance (if running with permission to access the Tailscale socket). This makes services running on a Tailscale network [automatically available](https://github.com/caddyserver/caddy/pull/4541) over trusted HTTPS with Caddy. - **Tracing:** New [OpenTelemetry](https://opentelemetry.io/) integration with the [`tracing` handler module and associated `tracing` directive](https://github.com/caddyserver/caddy/pull/4361). - **Reverse proxy:** When using the response handlers, a new handler `copy_response` is available to copy the proxy's response back to the client, and `copy_response_headers` may be used to selectively copy header values from the proxy's response. - **API:** Added new endpoints `/pki/ca/` and `/pki/ca//certificates` for getting information about Caddy's managed CAs, including the chain of root and intermediate certificates. ## Notable - **Reverse proxy:** The `X-Forwarded-Host` header will now be automatically set, along with `X-Forwarded-For` and `X-Forwarded-Proto`. - :warning: **Reverse proxy:** Incoming `X-Forwarded-*` headers will no longer be automatically trusted, to prevent spoofing. Now, `trusted_proxies` must be configured to specify a list of downstream proxies which are trusted to have sent good values. You only need to configure trusted proxies if Caddy is not the first server being connected to. For example, if you have Cloudflare in front of Caddy, then you should configure this with Cloudflare's [list of IP ranges](https://www.cloudflare.com/en-ca/ips/). - **Automatic HTTPS:** Revoked certificates will be automatically [replaced more reliably](https://github.com/caddyserver/certmagic/pull/166). - **Automatic HTTPS:** [Can now get certificates from _Managers_.](https://github.com/caddyserver/caddy/pull/4541) As opposed to _Issuers_ (such as the default ACME issuers) which give Caddy certificates to manage from a CSR, Managers give Caddy certificates to serve (rather than manage) during TLS handshakes. - **Automatic HTTPS:** A DNS challenge [domain override](https://github.com/caddyserver/caddy/issues/4071) can be configured to delegate the solving of the challenge to a different domain. - **Automatic HTTPS:** The DNS challenge propagation checks can now be delayed or disabled by setting `propagation_delay` or `propagation_timeout` to -1, respectively. - **Reverse proxy:** The default dial timeout for the HTTP transport [has been adjusted](https://github.com/caddyserver/caddy/pull/4436) down to `3s` (was `10s`), which should allow for more easily configuring load balancing retries. - **Logging:** HTTP access logs will now [render empty values](https://github.com/caddyserver/caddy/commit/7d5047c1f190421528695e1cc3a4ad71c97eb022) for often-sensitive HTTP headers such as Cookie, Authorization, and Proxy-Authorization. Logging such credentials is now [opt-in](https://github.com/caddyserver/caddy/commit/5bf0adad8748e96e10529d5fc5777afc9236a7b5) with the `log_credentials` global option in the Caddyfile, or the server's `logs > should_log_credentials` field in JSON. - **Logging:** Logs can now be filtered by [query string parameters](https://github.com/caddyserver/caddy/commit/bcac2beee7e419f8cdab2ed16f388d1af282a46b), [cookie values](https://github.com/caddyserver/caddy/commit/8887adb027982e844965b4707b8595cee5845d54), and [regular expressions](https://github.com/caddyserver/caddy/commit/789efa5deef53071b57479d37e4022bf372c4eef); and log values can be [hashed](https://github.com/caddyserver/caddy/commit/a1b417c832b4ab3dab9eaa9690e1d07672a949b8). These features are useful for redacting sensitive information. - **Logging:** Errors during request handling [will now be logged at `DEBUG` level](https://github.com/caddyserver/caddy/pull/4429) if the error was [handled via `errors` routes](https://github.com/caddyserver/caddy/pull/4584) (`handle_errors` in Caddyfile). - :warning: **Logging:** Removed the [deprecated](https://github.com/caddyserver/caddy/issues/4148) `common_log` field from HTTP access logs, and the `single_field` encoder. If you relied on this, you may use the [transform encoder plugin](https://github.com/caddyserver/transform-encoder) to encode logs in Common Log format. - :warning: **Logging:** The `remote_addr` field [has been replaced](https://github.com/caddyserver/caddy/commit/f55b123d63132e290789bcd07077375c76b6e1dd) by `remote_ip` and `remote_port` fields in HTTP access logs, which split up the two parts of the remote address. This improves ease of use for some tooling which only expect an IP address, without a port. - **HTTP server:** The [`vars` matcher](https://github.com/caddyserver/caddy/commit/ecac03cdcb6cceae743aac16faca7f32e5da1607) can now match on multiple possible values. - **HTTP server:** Requests [can now be assigned](https://github.com/caddyserver/caddy/commit/180ae0cc4843ecc3c7ddcb6e978ebfd474ed07f9) a random and unique UUID from the new `{http.request.uuid}` placeholder. - **HTTP server:** [New `http_redirect` listener wrapper](https://github.com/caddyserver/caddy/pull/4585) which can be used to redirect HTTP requests that come in on a server listening for HTTPS requests to be redirected to `https://`. - :warning: **Caddyfile:** [Deprecated paths in site addresses.](https://github.com/caddyserver/caddy/pull/4728) Prefer using path matchers within your site block instead. - **Caddyfile:** [New `default_bind` global option](https://github.com/caddyserver/caddy/pull/4531) lets you specify the default interface all sockets should bind to. - **Caddyfile:** [New `pki` global option](https://github.com/caddyserver/caddy/pull/4450) lets you configure the properties of the internal CAs managed by Caddy. - **Caddyfile:** [New `method` directive](https://github.com/caddyserver/caddy/pull/4528) allows rewriting the request method via Caddyfile. - :warning: **Caddyfile:** The `reverse_proxy` directive's `handle_response` subdirective has had its status replacement functionality [moved to a new `replace_status`](https://github.com/caddyserver/caddy/pull/4300) subdirective. This makes sure that the functionality of `handle_response` is not overloaded, and usage is clearer. - **Caddyfile**: The `map` directive [now casts outputs](https://github.com/caddyserver/caddy/commit/93c99f67342504efe9f6b58a734aaec3929fe785) to the appropriate scalar type if possible (int, float, bool). If you need to force a string, you may use double quotes or backticks https://github.com/caddyserver/caddy/pull/4643. - **Caddyfile**: [New `vars` directive](https://github.com/caddyserver/caddy/commit/79cbe7bfd06565d0e7ab0717119f78960ed54c08) allows setting some variables during request handling for later use in another handler or matcher. - **Caddyfile**: The Caddyfile adapter [is now stricter](https://github.com/caddyserver/caddy/pull/4655) about curly braces for block openers to try to prevent parsing ambiguities. - **Caddyfile**: The `caddy fmt` CLI command now has a [`--diff` option](https://github.com/caddyserver/caddy/pull/4695) which lets you visually see the formatting differences. - :warning: **Admin:** [Renamed](https://github.com/caddyserver/caddy/commit/bc447e307f195b80eeec0f6157e0d8e641af9155) experimental property `load_interval` :arrow_right: `load_delay` for clarification, and improved dynamic config loading. --- :shield: Thanks to [David Leadbeater](https://github.com/dgl) for reporting a security vulnerability related to HTTP methods and metrics cardinality, which was fixed in this release. ## New Contributors * @adamburgess made their first contribution in https://github.com/caddyserver/caddy/pull/4460 * @12f23eddde made their first contribution in https://github.com/caddyserver/caddy/pull/4444 * @rayjlinden made their first contribution in https://github.com/caddyserver/caddy/pull/4023 * @GallopingKylin made their first contribution in https://github.com/caddyserver/caddy/pull/4522 * @ForestJohnson made their first contribution in https://github.com/caddyserver/caddy/pull/4534 * @VojtechVitek made their first contribution in https://github.com/caddyserver/caddy/pull/4535 * @Ikke made their first contribution in https://github.com/caddyserver/caddy/pull/4544 * @YourTechBud made their first contribution in https://github.com/caddyserver/caddy/pull/4603 * @BitWuehler made their first contribution in https://github.com/caddyserver/caddy/pull/4597 * @ttys3 made their first contribution in https://github.com/caddyserver/caddy/pull/4572 * @crccw made their first contribution in https://github.com/caddyserver/caddy/pull/4596 * @andriikushch made their first contribution in https://github.com/caddyserver/caddy/pull/4361 * @renbou made their first contribution in https://github.com/caddyserver/caddy/pull/4654 * @cuishuang made their first contribution in https://github.com/caddyserver/caddy/pull/4702 ## Changelog * 2e46c2ac admin, reverseproxy: Stop timers if canceled to avoid goroutine leak (#4482) * 40b54434 admin: Enforce and refactor origin checking * b4bfa29b admin: Require identity for remote (fix #4478) * 32aad909 admin: Write proper status on invalid requests (#4569) (fix #4561) * ff137d17 caddyconfig: Support placeholders in HTTP loader * b47af6ef caddyfile: Copy input before parsing (fix #4422) * e90d7517 caddyfile: impove fmt warning message (#4444) * 5e5af50e caddyfile: make renew_interval option configurable (#4451) * ddbb234d caddyhttp: Always log handled errors at debug level (#4584) * 6b385a36 caddyhttp: Don't attempt to manage Tailscale certs * ecac03cd caddyhttp: Enhance vars matcher (#4433) * 6e6ce2be caddyhttp: Fix HTTP->HTTPS redir not preferring HTTPS port if ambiguous (#4530) * 3fe2c73d caddyhttp: Fix `MatchPath` sanitizing (#4499) * 44e5e9e4 caddyhttp: Fix test when /tmp/etc already exists (#4544) * 2bb8550a caddyhttp: Honor wildcard hosts in log SkipHosts (#4606) * 180ae0cc caddyhttp: Implement http.request.uuid placeholder (#4285) * 7d5047c1 caddyhttp: Log empty value for typical password headers * eead3373 caddyhttp: Log non-500 handler errors at debug level (#4429) * 5bf0adad caddyhttp: Make logging of credential headers opt-in (#4438) * 186fdba9 caddyhttp: Move HTTP redirect listener to an optional module (#4585) * 80d7a356 caddyhttp: Redirect HTTP requests on the HTTPS port to https:// (#4313) * bf380d00 caddyhttp: Reject absurd methods (#4538) * 850e1605 caddyhttp: Return HTTP 421 for mismatched Host header (#4023) * f55b123d caddyhttp: Split up logged remote address into IP and port (#4403) * ac14b64e caddyhttp: Support zone identifiers in remote_ip matcher (#4597) * a1c41210 caddypki: Minor tweak, don't use context pointer * 78e381b2 caddypki: Refactor /pki/ admin endpoints * c634bbe9 caddypki: Return error if no PEM data found * 9b7cdfa2 caddypki: Try to fix lint warnings * a79b4055 caddytls: Add internal Caddyfile `lifetime`, `sign_with_root` opts (#4513) * 77a77c02 caddytls: Add `propagation_delay`, support `propagation_timeout -1` (#4723) * 66de438a caddytls: Fix `MatchRemoteIP` provisoning with multiple CIDR ranges (#4522) * 57a708d1 caddytls: Support external certificate Managers (like Tailscale) (#4541) * d9b1d463 caddytls: dns_challenge_override_domain for challenge delegation (#4596) * 1a7a78a1 cmd: Print error if fmt overwrite fails (fix #4524) * bc447e30 core: Config LoadInterval -> LoadDelay for clarity * 7ea5b2a8 core: Config load interval only reloads if changed (#4603) * 7f364c77 core: Load config at interval instead of just once * a72acd21 core: Retry dynamic config load if config unchanged * ceef70db core: Retry dynamic config load if error or no-op (#4603) * acbee947 core: Revert 7f364c7; simplify dynamic config load * 64a3218f core: Simplify shared listeners, fix deadline bug * 8e5aafa5 fastcgi: Fix a TODO, prevent zap using reflection for logging env (#4437) * c8f2834b fastcgi: Protect against requests with null bytes in the path (#4614) * de490c7c fastcgi: Set SERVER_PORT to 80 or 443 depending on scheme (#4572) * 09ba9e99 fileserver: Add `pass_thru` Caddyfile option (#4613) * 15c95e9d fileserver: Canonical redir when whole path is stripped (#4549) * c8b5a816 fileserver: Fix handling of symlink sizes in directory listings (#4415) * e81369e2 fileserver: Move default browse template into a separate file (#4417) * 1e10f6f7 fileserver: browse: do not encode the paths in breadcrumbs and page title (#4410) * 78b5356f fileserver: do not double-escape paths (#4447) * 0de51593 go.mod: Revert version bump of CEL (#4587) * 6f9b6ad7 go.mod: Update smallstep/certificates, no longer need replace (#4475) * 4906b935 go.mod: Update smallstep/truststore, fix build on FreeBSD (#4473) * c1331534 go.mod: Update to latest smallstep/truststore, support FreeBSD (#4453) * ff74a0aa go.mod: Upgrade dependencies * e9dde230 headers: Fix `+` in Caddyfile to properly append rather than set (#4506) * 1b7ff5d7 httpcaddyfile: Add `default_bind` global option (#4531) * a8bb4a66 httpcaddyfile: Add `{vars.*}` placeholder shortcut, reverse `vars` sort order (#4726) * 5a071568 httpcaddyfile: Add pki app `root` and `intermediate` cert/key config (#4514) * 3a1e0dbf httpcaddyfile: Deprecate paths in site addresses; use zap logs (#4728) * 26d633ba httpcaddyfile: Disabling OCSP stapling for both managed and unmanaged (#4589) * 93a7a45e httpcaddyfile: Fix incorrect handling of IPv6 bind addresses (#4532) * 81ee34e9 httpcaddyfile: Fix sorting edgecase for nested `handle_path` (#4477) * 4b9849c7 httpcaddyfile: Support configuring `pki` app names via global options (#4450) * 5bd96a6a httpcaddyfile: Support explicitly turning off `strict_sni_host` (#4592) * c921e082 logging: Add `roll_local_time` Caddyfile option (#4583) * 0eb0b60f logging: Remove common_log field and single_field encoder (#4149) (#4282) * 249adc1c logging: Support turning off roll compression via Caddyfile (#4505) * 8887adb0 logging: add a filter for cookies (#4425) * bcac2bee logging: add a filter for query parameters (#4424) * 789efa5d logging: add a regexp filter (#4426) * a1b417c8 logging: add support for hashing data (#4434) * eb891d46 metrics: Enforce smaller set of method labels * c04d24ca pki: Avoid provisioning the `local` CA when not necessary (#4463) * bbad6931 pki: Implement API endpoints for certs and `caddy trust` (#4443) * 9ee68c1b reverseproxy: Adjust defaults, document defaults (#4436) * 7557d1d9 reverseproxy: Avoid returning a `nil` error during GetClientCertificate (#4550) * ab045592 reverseproxy: Dynamic upstreams (with SRV and A/AAAA support) (#4470) * 5333c352 reverseproxy: Fix incorrect `health_headers` Caddyfile parsing (#4485) * c50094fc reverseproxy: Implement trusted proxies for `X-Forwarded-*` headers (#4507) * f5e10494 reverseproxy: Make shallow-ish clone of the request (#4551) * 87a1f228 reverseproxy: Move status replacement intercept to `replace_status` (#4300) * d058dee1 reverseproxy: Refactor dial address parsing, augment command parsing (#4616) * c7d6c4cb reverseproxy: copy_response and copy_response_headers for handle_response routes (#4391) * bcb7a19c rewrite: Add `method` Caddyfile directive (#4528) * 1feb6595 rewrite: Fix a double-encode issue when using the `{uri}` placeholder (#4516) * 6cadb60f templates: Document .OriginalReq * 1d0425b2 templates: Elaborate on what's supported by the markdown function (#4564) * a6199cf8 templates: Fix docs for .Args * ec14ccdd templates: fix inconsistent nested includes (#4452) * d0b608af tracing: New OpenTelemetry module (#4361) * 134b8056 caddyfile: Prevent bad block opening tokens (#4655) * c5fffb4a caddyfile: Support for raw token values; improve `map`, `expression` (#4643) * b82e22b4 caddyhttp: retain all values of vars matcher when specified multiple times (#4629) * bc15b4b0 caddypki: Load intermediate for signing on-the-fly (#4669) * 6512832f cmd: Add `--diff` option for `caddy fmt` (#4695) * 30b6d1f4 cmd: Enhance .env (dotenv) file parsing * 22d8edb9 cmd: Fix defaulting admin address if empty in config, fixes `reload` (#4674) * c2327161 cmd: Set Origin header properly on API requests * d06d0e79 go.mod: Upgrade CertMagic to v0.16.0 * bf6a1b75 go.mod: Upgrade some dependencies * 79cbe7bf httpcaddyfile: Add 'vars' directive * a58f240d httpcaddyfile: Fix #4640 (auto-HTTPS edgecase) (#4661) * 7d229665 logging: Caddyfile support for `duration_format` (#4684) * 55b4c12e map: Evaluate placeholders in output vals (#4650) * 93c99f67 map: Support numeric and bool types with Caddyfile * 3d616e8c requestbody: Return HTTP 413 (fix #4558) * 3e3bb002 reverseproxy: Add `_ms` placeholders for proxy durations (#4666) * 2196c92c reverseproxy: Don't clear name in SRV upstreams * dc4d1473 reverseproxy: Expand SRV/A addrs for cache key * b8dbecb8 reverseproxy: Include port in A upstreams cache * e4ce40f8 reverseproxy: Sync up `handleUpgradeResponse` with stdlib (#4664) * afca2421 staticfiles: Expand placeholder for index files (#4679) * 00234c8a templates: Switch to `BurntSushi/toml` (#4700) **Full Changelog**: https://github.com/caddyserver/caddy/compare/v2.4.6...v2.5.0

caddy v2.5.1

2022-05-06T17:23:16+00:00

This is a minor patch release that fixes some bugs and also enhances `reverse_proxy` with capabilities that weren't ready in time for v2.5.0. ### Highlights - Fixed regression in Unix socket admin endpoints. - Fixed regression in `caddy trust` commands. - Hash-based load balancing policies (ip_hash, uri_hash, header, and cookie) use an improved highest-random-weight (HRW) algorithm for increased consistency. The new rendezvous hash will ensure a client or request is _consistently_ mapped to a particular upstream even if the list of upstreams changes. - The reverse proxy is now able to rewrite the method and URI on its internal copy of the request that goes to the upstream. Combined with new `handle_response` capabilities, this enables the reverse proxy to fire off ["pre-check requests"](https://github.com/caddyserver/caddy/pull/4739) (for lack of a better term) to make routing decisions based on the results of that call. This enables a commonly-emerging pattern called _forward authentication_ wherein a backend is queried to assess a client's authorization to be proxied. The [full, verbose config for this](https://github.com/caddyserver/caddy/pull/4739#issuecomment-1113901951) is very flexible but tedious, so we made a new wrapper directive called `forward_auth` that eliminates the boilerplate (very similar to the [`php_fastcgi` directive](https://caddyserver.com/docs/caddyfile/directives/php_fastcgi#expanded-form)): ``` forward_auth authelia:9091 { uri /api/verify?rd=https://auth.example.com copy_headers Remote-User Remote-Groups Remote-Name Remote-Email } ``` This works with authentication providers like Authelia, and more. ## What's Changed * caddypki: Fix `caddy trust` command to use the correct API endpoint by @francislavoie in https://github.com/caddyserver/caddy/pull/4730 * reverseproxy: Improve hashing LB policies with HRW by @mholt in https://github.com/caddyserver/caddy/pull/4724 * Add missing backticks by @mahgoh in https://github.com/caddyserver/caddy/pull/4737 * caddyhttp: Improve listen addr error message for IPv6 by @francislavoie in https://github.com/caddyserver/caddy/pull/4740 * cmd: Fix unix socket addresses for admin API requests by @francislavoie in https://github.com/caddyserver/caddy/pull/4742 * logging: Use `RedirectStdLog` by @francislavoie in https://github.com/caddyserver/caddy/pull/4732 * logging: Implement rename filter, changes field key names by @francislavoie in https://github.com/caddyserver/caddy/pull/4745 * httpcaddyfile: Fix duplicate access log when debug is on by @francislavoie in https://github.com/caddyserver/caddy/pull/4746 * reverseproxy: Fix Caddyfile support for `replace_status` by @francislavoie in https://github.com/caddyserver/caddy/pull/4754 * templates: Add custom template function registration by @kroppt in https://github.com/caddyserver/caddy/pull/4757 * reverseproxy: Permit resolver addresses to not specify a port by @francislavoie in https://github.com/caddyserver/caddy/pull/4760 * caddyfile: Shortcut for `remote_ip` for private IP ranges by @francislavoie in https://github.com/caddyserver/caddy/pull/4753 * reverseproxy: Support performing pre-check requests by @francislavoie in https://github.com/caddyserver/caddy/pull/4739 * map: Prevent output destinations overlap with Caddyfile shorthands by @francislavoie in https://github.com/caddyserver/caddy/pull/4657 ## New Contributors * @mahgoh made their first contribution in https://github.com/caddyserver/caddy/pull/4737 ## Changelog * ec86a2f7 caddyfile: Shortcut for `remote_ip` for private IP ranges (#4753) * dcc98da4 caddyhttp: Improve listen addr error message for IPv6 (#4740) * d543ad1f caddypki: Fix `caddy trust` command to use the correct API endpoint (#4730) * 2e4c0915 cmd: Fix unix socket addresses for admin API requests (#4742) * af732151 httpcaddyfile: Fix duplicate access log when debug is on (#4746) * 0be3d995 logging: Implement rename filter, changes field key names (#4745) * 3017b245 logging: Use `RedirectStdLog` to capture more stdlib logs (#4732) * f7be0ee1 map: Prevent output destinations overlap with Caddyfile shorthands (#4657) * 4a223f52 reverseproxy: Fix Caddyfile support for `replace_status` (#4754) * 40b193fb reverseproxy: Improve hashing LB policies with HRW (#4724) * e7fbee8c reverseproxy: Permit resolver addresses to not specify a port (#4760) * f6900fcf reverseproxy: Support performing pre-check requests (#4739) * e84e19a0 templates: Add custom template function registration (#4757) * 3ab64838 templates: Add missing backticks in docs (#4737) **Full Changelog**: https://github.com/caddyserver/caddy/compare/v2.5.0...v2.5.1

caddy v2.5.2

2022-07-12T19:06:28+00:00

This patch release fixes bugs, adds some new features, and makes worthwhile enhancements. We recommend everyone test and upgrade! Many improvements have been made to the `reverse_proxy` module. Highlights: - **New [`/adapt` admin endpoint](https://caddyserver.com/docs/api#post-adapt):** Use your installed config adapters via API in addition to the existing `caddy adapt` CLI command. - **New `Etag`/`If-Match` support for config API:** Safely update your config concurrently and avoid collisions by using [our unique Etag implementation](https://caddyserver.com/docs/api#concurrent-config-changes). - **Rename copied headers from reverse_proxy:** If you're using `handle_response`, you can more easily map headers to a different name for clients. - **Many HTTP matchers have been added to CEL:** You can now use the logic of our HTTP request matchers in CEL expressions. - **Notable bug fixes:** EAB reuse, various QUIC & HTTP/3 fixes, more specific HTTP status codes, various reverse proxy fixes. ## Changelog * 660c59b6 admin: Implement /adapt endpoint (close #4465) (#4846) * ad3a83fb admin: expect quoted ETags (#4879) * f259ed52 admin: support ETag on config endpoints (#4579) * 1498132e caddyhttp: Log error from CEL evaluation (fix #4832) * 0a14f97e caddytls: Make peer certificate verification pluggable (#4389) * 412dcc07 caddytls: Reuse issuer between PreCheck and Issue (#4866) * 499ad6d1 core: Micro-optim in run() (#4810) * c0f76e9e fileserver: Use safe redirects in file browser * 58e05cab forwardauth: Fix case when `copy_headers` is omitted (#4856) * 0b6f7643 forwardauth: Support renaming copied headers, block support (#4783) * 8bac134f go.mod: Bump up quic-go to v0.28.0, fixes for BC breaks (#4867) * 3d18bc56 go.mod: Update go-yaml to v3 * 56013934 go.mod: Update some dependencies * 8e6bc360 go.mod: Upgrade some dependencies * 53c4d788 headers: Only replace known placeholders (#4880) * 0bcd02d5 headers: Support wildcards for delete ops (close #4830) (#4831) * 58970cae httpcaddyfile: Add `{err.*}` placeholder shortcut (#4798) * b687d7b9 httpcaddyfile: Support multiple values for `default_bind` (#4774) * a9267791 reverseproxy: Add --internal-certs CLI flag #3589 (#4817) * aaf6794b reverseproxy: Add renegotiation param in TLS client (#4784) * 54d1923c reverseproxy: Adjust new TLS Caddyfile directive names (#4872) * 7f9b1f43 reverseproxy: Correct the `tls_server_name` docs (#4827) * c82fe911 reverseproxy: Dynamic ServerName for TLS upstreams (#4836) * d6bc9e0b reverseproxy: Err 503 if all upstreams unavailable * 98468af8 reverseproxy: Fix double headers in response handlers (#4847) * 25f10511 reverseproxy: Fix panic when TLS is not configured (#4848) * 5e729c1e reverseproxy: HTTP 504 for upstream timeouts (#4824) * f9b42c37 reverseproxy: Make TLS renegotiation optional * b6e96fa3 reverseproxy: Skip TLS for certain configured ports (#4843) * 57d27c1b reverseproxy: Support http1.1>h2c (close #4777) (#4778) * 9864b138 reverseproxy: api: Remove misleading 'healthy' value * 693e9b52 rewrite: Handle fragment before query (fix #4775) * 6891f7f4 templates: Add `humanize` function (#4767) * 9e760e2e templates: Documentation consistency (#4796) ## New Contributors * @nekohasekai made their first contribution in https://github.com/caddyserver/caddy/pull/4782 * @davidbgk made their first contribution in https://github.com/caddyserver/caddy/pull/4796 * @git001 made their first contribution in https://github.com/caddyserver/caddy/pull/4767 * @varianone made their first contribution in https://github.com/caddyserver/caddy/pull/4817 * @Gr33nbl00d made their first contribution in https://github.com/caddyserver/caddy/pull/4389 * @yaslama made their first contribution in https://github.com/caddyserver/caddy/pull/4784 * @kresike made their first contribution in https://github.com/caddyserver/caddy/pull/4836 * @TristonianJones made their first contribution in https://github.com/caddyserver/caddy/pull/4715 * @jhwz made their first contribution in https://github.com/caddyserver/caddy/pull/4579 **Full Changelog**: https://github.com/caddyserver/caddy/compare/v2.5.1...v2.5.2

caddy v2.6.0-beta.3

2022-09-05T22:07:59+00:00

This is the _first beta_ release for Caddy 2.6. Please try it out and report any regressions you notice! Thanks to everyone who helped out! :blush: Beta 1 and beta 2 were trial runs for our CI upgrades, so this is technically beta 3. There are no code changes from beta 1 to beta 3. Thank you @mohammed90 for figuring out the CI magic! These are abbreviated release notes. The full release notes (23.5 KB of them, to be precise) will be published with the final 2.6 release, explaining in detail all the new few features, enhancements, and bug fixes. ## What's Changed * reverseproxy: Implement retry count, alternative to try_duration by @francislavoie in https://github.com/caddyserver/caddy/pull/4756 * cmd: Fix reload with stdin by @francislavoie in https://github.com/caddyserver/caddy/pull/4900 * reverseproxy: Implement read & write timeouts for HTTP transport by @mholt in https://github.com/caddyserver/caddy/pull/4905 * ci: Run golangci-lint on multiple os(#4875) by @u5surf in https://github.com/caddyserver/caddy/pull/4913 * caddyhttp: Clear out matcher error immediately after grabbing it by @francislavoie in https://github.com/caddyserver/caddy/pull/4916 * chore: Add .gitattributes to force *.go to LF by @francislavoie in https://github.com/caddyserver/caddy/pull/4919 * core: Windows service integration by @WingLim in https://github.com/caddyserver/caddy/pull/4790 * fileserver: Support virtual file systems by @mholt in https://github.com/caddyserver/caddy/pull/4909 * caddyhttp: Implement `caddy respond` command by @mholt in https://github.com/caddyserver/caddy/pull/4870 * chore: Bump up to Go 1.19, minimum 1.18 by @francislavoie in https://github.com/caddyserver/caddy/pull/4925 * httpserver: Configurable shutdown delay by @mholt in https://github.com/caddyserver/caddy/pull/4906 * cmd: Use newly-available version information by @mholt in https://github.com/caddyserver/caddy/pull/4931 * Replace strings.Index usages with strings.Cut by @WilczynskiT in https://github.com/caddyserver/caddy/pull/4930 * optimization: Replaced strings.Index with strings.Cut by @chir4gm in https://github.com/caddyserver/caddy/pull/4932 * go.mod: Upgrade OpenTelemetry dependencies by @lewandowski-stripe in https://github.com/caddyserver/caddy/pull/4937 * logging: Fix `cookie` filter by @francislavoie in https://github.com/caddyserver/caddy/pull/4943 * reverseproxy: Support 1xx status codes (HTTP early hints) by @dunglas in https://github.com/caddyserver/caddy/pull/4882 * reverseproxy: Fix H2C dialer using new stdlib `DialTLSContext` by @francislavoie in https://github.com/caddyserver/caddy/pull/4951 * reverseproxy: Ignore context cancel in stream mode by @mholt in https://github.com/caddyserver/caddy/pull/4952 * reverseproxy: Add `unix+h2c` Caddyfile network shortcut by @francislavoie in https://github.com/caddyserver/caddy/pull/4953 * caddyhttp: Enable HTTP/3 by default by @mholt in https://github.com/caddyserver/caddy/pull/4707 * fileserver: reset buffer before using it (#4962) by @abdusco in https://github.com/caddyserver/caddy/pull/4963 * caddyhttp: Smarter path matching and rewriting by @mholt in https://github.com/caddyserver/caddy/pull/4948 * core: Change net.IP to netip.Addr; use netip.Prefix by @WilczynskiT in https://github.com/caddyserver/caddy/pull/4966 * caddyhttp: Set `http.error.message` to the HandlerError message by @francislavoie in https://github.com/caddyserver/caddy/pull/4971 * caddyhttp: Fix for nil `handlerErr.Err` by @francislavoie in https://github.com/caddyserver/caddy/pull/4977 * templates: cap of slice should not be smaller than length by @jedy in https://github.com/caddyserver/caddy/pull/4975 * ci: Increase linter timeout by @mholt in https://github.com/caddyserver/caddy/pull/4981 * httpcaddyfile: Add ocsp_interval global option by @benburkert in https://github.com/caddyserver/caddy/pull/4980 * zstd: fix typo in comment by @simon04 in https://github.com/caddyserver/caddy/pull/4985 * admin: Don't stop old server if new one fails by @WeidiDeng in https://github.com/caddyserver/caddy/pull/4964 * reverseproxy: Add upstreams healthy metrics by @david-szabo97 in https://github.com/caddyserver/caddy/pull/4935 * Remove duplicate words in comments by @Abirdcfly in https://github.com/caddyserver/caddy/pull/4986 * cmd: Migrate to `spf13/cobra`, remove single-dash arg support by @mohammed90 in https://github.com/caddyserver/caddy/pull/4565 * cmd: add completion command by @mohammed90 in https://github.com/caddyserver/caddy/pull/4994 * caddyhttp: Set Content-Type for static response by @mholt in https://github.com/caddyserver/caddy/pull/4999 * httpcaddyfile: Add `{cookie.*}` placeholder shortcut by @francislavoie in https://github.com/caddyserver/caddy/pull/5001 * events: Implement event system by @francislavoie in https://github.com/caddyserver/caddy/pull/4912 * core: Plugins can register listener networks by @mholt in https://github.com/caddyserver/caddy/pull/5002 * httpcaddyfile: Add shortcut for expression matchers by @francislavoie in https://github.com/caddyserver/caddy/pull/4976 * caddyhttp: Copy logger config to HTTP server during AutoHTTPS by @francislavoie in https://github.com/caddyserver/caddy/pull/4990 * dist: deb package manpages and bash completion scripts by @mohammed90 in https://github.com/caddyserver/caddy/pull/5007 * fastcgi: allow users to log stderr output (#4967) by @flga in https://github.com/caddyserver/caddy/pull/5004 * templates: Document `httpError` function by @Malankar in https://github.com/caddyserver/caddy/pull/4972 * fastcgi: Optimize FastCGI transport by @WeidiDeng in https://github.com/caddyserver/caddy/pull/4978 * core: Refactor listeners; use SO_REUSEPORT on Unix by @mholt in https://github.com/caddyserver/caddy/pull/4705 * reverseproxy: Close hijacked conns on reload/quit by @mholt in https://github.com/caddyserver/caddy/pull/4895 * ci: generate SBOM and sign artifacts using cosign by @mohammed90 in https://github.com/caddyserver/caddy/pull/4910 * caddyauth: Speed up basicauth provision, deprecate `scrypt` by @francislavoie in https://github.com/caddyserver/caddy/pull/4720 * caddyhttp: Support `respond` with HTTP 103 Early Hints by @mholt in https://github.com/caddyserver/caddy/pull/5006 * fileserver: Support glob expansion in file matcher by @mholt in https://github.com/caddyserver/caddy/pull/4993 * ci: add `id-token` permission and update the signing command by @mohammed90 in https://github.com/caddyserver/caddy/pull/5016 * ci: grant the `release` workflow the `write` permission to `contents` by @mohammed90 in https://github.com/caddyserver/caddy/pull/5017 ## New Contributors * @WingLim made their first contribution in https://github.com/caddyserver/caddy/pull/4790 * @WilczynskiT made their first contribution in https://github.com/caddyserver/caddy/pull/4930 * @chir4gm made their first contribution in https://github.com/caddyserver/caddy/pull/4932 * @lewandowski-stripe made their first contribution in https://github.com/caddyserver/caddy/pull/4937 * @abdusco made their first contribution in https://github.com/caddyserver/caddy/pull/4963 * @jedy made their first contribution in https://github.com/caddyserver/caddy/pull/4975 * @benburkert made their first contribution in https://github.com/caddyserver/caddy/pull/4980 * @WeidiDeng made their first contribution in https://github.com/caddyserver/caddy/pull/4964 * @david-szabo97 made their first contribution in https://github.com/caddyserver/caddy/pull/4935 * @Abirdcfly made their first contribution in https://github.com/caddyserver/caddy/pull/4986 * @flga made their first contribution in https://github.com/caddyserver/caddy/pull/5004 * @Malankar made their first contribution in https://github.com/caddyserver/caddy/pull/4972 **Full Changelog**: https://github.com/caddyserver/caddy/compare/v2.5.2...v2.6.0-beta.3

caddy v2.6.0-beta.5

2022-09-18T00:23:34+00:00

This release and beta.4 are mainly tests of our CI, but also contains a bunch of small fixes or enhancements, including, notably, the use of `sendfile` and other optimizations. See the release notes for beta.3 for everything else until 2.6.0 lands soon. Full release notes coming! ## Changelog * e6c58fdc caddyfile: Prevent infinite nesting on fmt (fix #4175) * 9ad0ebc9 caddyhttp: Add 'skip_log' var to omit request from logs (#4691) * b6cec378 caddyhttp: Add --debug flag to commands * 61c75f74 caddyhttp: Explicitly disallow multiple regexp matchers (#5030) * 00beec2e caddyhttp: Fix write header on responseRecorder * 74547f5b caddyhttp: Make metrics opt-in (#5042) * 61641828 caddyhttp: Support TLS key logging for debugging (#4808) * bffc2587 caddyhttp: Support configuring Server from handler provisioning (#4933) * 20d487be caddyhttp: Very minor optimization to path matcher * dd9813c6 caddyhttp: ensure ResponseWriterWrapper and ResponseRecorder use ReadFrom if the underlying response writer implements it. (#5022) * 258071d8 caddytls: Debug log on implicit tailscale error (#5041) * d35f618b caddytls: Error if placeholder is empty in 'ask' * 0b3161ae cmd: Customizable user agent (close #2795) * 1c9c8f6a cmd: Enhance some help text * 62b06853 cmd: Improve error message if config missing * 50748e19 core: Check error on ListenQUIC * e43b6d81 core: Variadic Context.Logger(); soft deprecation * 48d723c0 encode: Fix Accept-Ranges header; HEAD requests (#5039) * c19f2072 fileserver: Ignore EOF when browsing empty dir * c5df7bb6 go.mod: Update truststore * 8cc8f9fd httpcaddyfile: Add a couple more placeholder shortcuts (#5015) * a1ad20e4 httpcaddyfile: Fix bind when IPv6 is specified with network (#4950) * 754fe4f7 httpcaddyfile: Fix sorting of repeated directives * e338648f reverseproxy: Support repeated --to flags in command (#4693) * 9fe4f93b supplychain: publish signing cert, sbom, and signatures of sbom (#5027)

caddy v2.6.0

2022-09-20T18:12:38+00:00

Caddy 2.6 ======== This is our biggest release since Caddy 2. Caddy 2 changed the way the world serves the Web. By providing an online config API, automatic HTTPS, unlimited extensibility, certificate automation at scale, modern protocols, sane defaults, and an unrivaled developer experience, we boldly raised the bar for web servers. Now with Caddy 2.6, we're doing it again. Caddy 2.6 is the first general-purpose web server to seamlessly enable the newly-standardized HTTP/3 protocol for all configurations by default. We've virtualized the file system so you can serve content from anywhere or anything. New event features let you observe and control Caddy's internals with custom actions. Caddy is more useful than ever for developers with its enhanced CLI tooling and features. And it's faster than ever with non-trivial performance improvements. We think you will love this release. [Watch the livestream](https://youtu.be/iJZqFpY2D14) Special dedication ------------------ This release is dedicated to the late Peter Eckersley, who passed away September 2, 2022. Peter is one of the brilliant minds behind Let's Encrypt; his work has benefited billions of people. I met Peter at the Let's Encrypt launch party in a little bar in San Francisco in 2015 and have never forgotten that occasion. He later co-authored a published research paper called [_Let’s Encrypt: An Automated Certificate Authority to Encrypt the Entire Web_](https://jhalderm.com/pub/papers/letsencrypt-ccs19.pdf), which highly espoused Caddy's ACME integration: "We hope to see other popular server software follow Caddy’s lead." We look forward to when other servers do that, and we hope to honor Peter's work and influence which will live on through his memory and the encrypted Web he made possible. --- [Sponsors](https://github.com/sponsors/mholt) -------- [ZeroSSL](https://zerossl.com) remains Caddy's executive sponsor. [We were thrilled](https://twitter.com/caddyserver/status/1559591673511813120) to welcome [Stripe](https://stripe.com) recently as an enterprise sponsor! Other notable sponsors include [AppCove](https://appcove.com/), [Dukaan](https://mydukaan.io/), [Suborbital](https://suborbital.dev), [Tailscale](https://tailscale.com), plus [Bubble](https://bubble.io/) and [GitHub](https://github.com) which both made generous one-time donations. We have many other vital sponsors and donors on which we also rely. [Our sponsors](https://github.com/sponsors/mholt) come from all over the world and include independent professionals, startups, and small companies -- and they are the absolute best. Thank you for making a more secure Web possible! _Personal note from Matt: Recent life upgrades mean that your sponsorships now sustain a family of 5 so that I can continue to maintain Caddy. Two years ago, I don't think I would have taken this risk because I'd need to find other work to provide for a family. Thank you for coming together as a professional community to make the Caddy project possible!_ We strongly recommend that companies who -- or companies whose customers -- use or benefit from Caddy [become a sponsor](https://github.com/sponsors/mholt) to ensure ongoing maintenance, priority development, private support, and more. Sponsorship tiers can be tailored to your requirements! Highlights ---------- :warning: **_Don't miss deprecations / breaking changes at the bottom. Notably, if you use metrics, you will now need to turn them on._** ### HTTP/3 is here (#4707) Caddy now enables [RFC 9114](https://datatracker.ietf.org/doc/rfc9114/)-compliant HTTP/3 by default. The `experimental_http3` option has graduated and been removed. We've removed another experimental option, `allow_h2c`, and individual HTTP versions (`h1 h2 h2c h3`) can now be toggled with the new `protocols` setting. Note that HTTP/3 utilizes the QUIC transport, which requires UDP. If your network or firewall configuration only allows TCP, HTTP/3 connections will fail and clients (should) fall back to HTTP/2. For servers with properly-configured UDP networks, HTTP/3 should "just work" for enabled clients. HTTP/3 clients can connect by reading Caddy's Alt-Svc header to know how to connect to Caddy via UDP. This header is now emitted automatically and by default. Other than that, there are no other changes needed to existing servers, as Caddy opens a separate UDP socket for HTTP/3. Our HTTP/3 server attempts to mitigate amplification and reflection attacks by requiring address validation when the server is under load. This adds one round-trip for clients, but is only done as a defensive measure when necessary. Serious thanks to @marten-seemann who builds and maintains the [quic-go](https://github.com/lucas-clemente/quic-go) library we depend on for this. (Go has not announced any plans to officially support or implement HTTP/3.) We expect numerous QUIC and HTTP/3 improvements to come as implementations and best practices mature with more production experience. ### Virtual file systems (#4909) Caddy's `file_server` module now supports _virtual_ file systems. We've replaced all hard-coded `os.Open()`, `os.Stat()`, etc. calls with Go's relatively new `io/fs` package, and introduced a new Caddy module namespace `caddy.fs` for implementations of such file systems. Some examples of what is possible: - Serve content from S3 or other blob/cloud storage services - Serve dynamically-generated content that "feels" static - [Embed your site directly into your `caddy` binary](https://github.com/mholt/caddy-embed) and serve it from memory - Serve content directly from an archive file (e.g. `.zip` or `.tar.gz`) - Load files from a database instead of disk Basically, instead of serving files from the local disk, you can have Caddy serve the "files" from somewhere or something else. The default is still the local file system. Note that this feature isn't limited to just Caddy's `file_server` module. Potentially any module that reads the local disk may benefit from using `caddy.fs` modules instead. I wrote [a module that lets you embed your site](https://github.com/mholt/caddy-embed) within your `caddy` binary -- wherever your server goes, your site goes! We encourage the community to implement and publish new file system modules for Caddy. (From an [early tweet](https://twitter.com/mholt6/status/1551434889358032897) there seems to be quite high demand.) ### Events (#4912 and #4984) Not surprisingly, many people prefer Caddy to automate certificates used with other software/services. Until now, there hasn't been a great way to know when Caddy has obtained or renewed a certificate (deferred in part by our opinion that certificate management should be baked into the software using the certificate in the first place). Cron jobs generally work for reloading new certificates into services because certificate expiry is _mostly_ predictable, but now there is a better way with one of our most requested features: events! We thought about events in general for a long time and discussed questions like, "What makes an event different from a log?" "Are events synchronous?" "Do self-initiated events get emitted before or after their code (are they past-tense or future-tense) -- or both? or neither (asynchronous)?" "What do we like from existing event systems?" "What do we wish event systems did differently?" While we think we have pretty good answers to these questions now, we won't be sure until we gather more production experience. For this reason, events are implemented as an experimental app module -- not as part of the core. (Remember, Caddy's core currently only loads config and sets up logging/storage.) This means that Caddy's core cannot emit events.[^1] So even though our event implementation may change, it is likely to be only slight and gradual changes; and we encourage anyone and everyone to start using events as soon as possible and to **give us your feedback**. We think we have the start of a great event system, but we need you to prove it! Caddy modules can emit events when interesting things happen. For example, the reverse proxy emits `healthy` and `unhealthy` events when backends go up and down. The TLS app emits `cert_obtaining`, `cert_obtained`, and `cert_failed` before and after obtaining a certificate or after the operation failed, respectively; and `cert_ocsp_revoked` after a certificate is discovered to be revoked by OCSP. There are several more events already, with even more to be added later. Events can have data associated with them. For example, `healthy`/`unhealthy` come with the address of the host; `cert_obtained` has the domain name, issuer, and storage path. You can access this from config in placeholders, e.g. `{event.data.identifier}`. Caddy modules can subscribe to events by specifying the name(s) of events to bind to, and the Caddy module ID(s) or namespace(s) to watch. When an event is emitted, it propagates from the module that emitted it up the provisioning heirarchy. This means that an event emitted by `http.handlers.reverse_proxy` will fire for `http.handlers` and `http` as well, similar to the DOM in HTML/JavaScript. Event handlers are invoked synchronously. We chose this for several reasons. First, despite how easy Go makes concurrency, there are many subtleties to concurrency in a server. Goroutines may be lightweight, but their operations might not be; and if event goroutines are starting more quickly than they are stopping, we either drop events arbitrarily or run out of memory/CPU. Also, we think one of the qualities that differentiates events from logs is the ability for an event to influence the emitting code's flow: a true "hook" in that sense. Instead of simply observing that something is happening (which is what a log tells you), you can influence its behavior. Maybe you want to run a command before a certificate is obtained to see if it _should_ be obtained. Or maybe you want to change how a TLS handshake is completed on-the-fly. Asynchronous event handlers cannot do this. For simple behavioral changes, synchronous events can be a powerful and useful tool for customizing your server. The new `event` app lets you easily configure subscriptions and event handlers. Event handling is modular, so you will need to plug in a module that does what you want: run a command, reload a service, make an HTTP request, or anything else! Because this feature is experimental and new, we don't yet know how people will be using it, so currently, Caddy does not ship with any event handler plugins. However, we're pretty sure based on feedback over the years that many of you would like to run commands on certain events (one of our top feature requests is to trigger a daemon reload after certificate renewals). So I went ahead and implemented an [`exec` event handler plugin](https://github.com/mholt/caddy-events-exec) that can run commands. We almost included it in Caddy's standard distribution, but out of an abundance of caution we decided to keep it a separate plugin for now until we learn more about real production use cases from experience. Here's an example of handling events. In JSON, you configure the `events` app: ```json { "apps": { "events": { "subscriptions": [ { "events": ["cert_obtained"], "handlers": [ { "handler": "exec", "command": "systemctl", "args": ["reload", "mydaemon"] } ] } ] } } } ``` or the equivalent Caddyfile global option: ``` { events { on cert_obtained exec systemctl reload mydaemon } } ``` It's that simple! Just make sure you have your event handler modules plugged in. **We hope you will provide feedback, report bugs, and request features related to events.** [^1]: Compilation fails with an import cycle. If Caddy core uses any feature of Caddy, it must also be in the core or another package not imported by any modules! ### Smarter path matching and rewriting (#4948) Is the URI path `/a/b/c` the same as `/a/b%2Fc`? What about `/a/b//c`? Turns out, _it depends._ What these questions illustrate is a famously frustrating problem, and has largely gone unsolved until now. All existing solutions I investigated in other products were unsatisfactory: - Nginx (and Caddy until now) always does path comparisons in unescaped/normalized space. This makes it impossible to route on literal escape sequences unless you double-encode your pattern, which violates specification. - Apache outright rejects valid[^2] HTTP requests containing encoded slashes. This behavior can either be disabled completely (creating a security problem known as unsafe paths) or tweaked to never decode encoded slashes (creating ambiguities when comparing against route patterns). - Laravel, like nginx, always decodes slashes, but routing such requests [mangles application data](https://github.com/laravel/framework/issues/22125) that contains slashes. The process of decoding a URI and collapsing slashes in the path is called normalization. Normalization has to occur for safe, reliable routing (imagine `//secret` bypassing auth checks configured for `/secret`), but at the same time, raw paths are sometimes needed to preserve application data (imagine a route `/bands/:name` which succeeds for `/bands/AC&2fDC` but fails for the normalized `/bands/AC/DC`). And it's not just routing; servers like Caddy often rewrite/manipulate paths. Because normalizing URIs creates a Many:1 mapping (there are multiple encoded forms of a single URI), normalizing is inherently lossy: the original input cannot be recovered with certainty, so we can't reconstruct the original or intended URI with complete fidelity. Other solutions with coarse on-off knobs can't balance both security and application correctness: it seems you have to trade one for the other. The crux of the problem seems to be that the server/framework/router doesn't know which parts of the path are application data and which parts are path components, so it just "plays it safe" and decodes the whole thing. I think Caddy's solution to this is quite novel. **Our solution is to interpret encoded characters and multiple slashes in a path pattern literally as a hint of the developer's intent.** For example, if you write a path matcher `/a/b/c`, it will still match `/a/b/c` and `/a/b%2Fc`. However, if your path matcher is `/a/b%2Fc`, Caddy will _only_ match `/a/b%2Fc`. This extends to wildcards with our new "escape-wildcard" feature: `/bands/%*/` will match `/bands/AC%2fDC` but `/bands/*/` won't. This works for multiple slashes too. If your path matcher uses `//`, Caddy will require the request path to contain those slashes literally at that position. We've also implemented this for prefix and suffix manipulations. For example, if you wanted to strip a prefix of `//prefix` from `//prefix/foo`, it will now work, whereas before it wouldn't because it would look at a fully-normalized URI. Essentially, we use the configured path pattern as a cue for whether to decode/merge a character or leave it raw when normalizing. This is a complex and subtle change, so please be sure to read the full PR in #4948 and the linked Laravel issue. It's very informative! [^2]: The "validity" of such a URI based on spec compliance is debatable. RFC 9110 says, "distinct resources SHOULD NOT be identified by HTTP URIs that are equivalent after normalization." ### HTTP 103 Early Hints (#4882 and #5006) HTTP Early Hints ([RFC 8297](https://datatracker.ietf.org/doc/rfc8297/)) is the effective successor to HTTP/2 Server Push. When 103 is emitted with relevant Link headers, web pages will load faster than normal. 1xx responses are precursors to the final response; clients must be able to support receiving multiple responses to a single request (nearly all modern clients do; and it almost certainly shouldn't break any HTTP/2 clients). Early hints are a great way to speed up page loads where the main content may take a while to generate (a slow DB query, for example) but the subresources can start being loaded right away. In those cases it is often beneficial to send early hints. Caddy can both originate and proxy 103 responses. To send early hints from Caddy, simply set the `Link` headers as the hints, then write the response with a 103 status code: ``` route /slow-pages/* { header Link "; rel=preload; as=style" header Link "; rel=preload; as=script" respond 103 } ``` Unlike normal responses, after writing HTTP 103, Caddy's middleware chain will _continue_ to execute and invoke the next handlers (for example, `reverse_proxy`) since 103 is not the final response. Multiple 103s can be sent. Caddy's reverse proxy also supports HTTP 103 responses, meaning that backends can send early hints and Caddy will proxy them to the client immediately as you'd expect., Note that browser support is still limited (only Chrome implements it at this time) and Caddy must be built with Go 1.19 (our builds use the latest Go version; but we still support Go 1.18 for now). Thank you to @dunglas with API Platform for contributing this feature to both Go and Caddy! ### Improved command line interface (#4565 and #4994) Caddy has always used Go's standard `flag` package for its CLI, which has served us quite well. However, recent improvements in the [Cobra](https://github.com/spf13/cobra) library make it possible for our CLI to gain worthwhile features without incurring a heavy dependency. The new `caddy manpage` command generates man pages, and the `caddy completion` command generates shell completions. Both are installed automatically as part of our official Linux packages, so your next `apt upgrade` (etc.) should take care of that. Additionally, short options (e.g. `-c`) are now supported. And if you typo a command, Caddy will helpfully suggest a correction (e.g. `caddy adpt` will suggest `caddy adapt`). Note that long-form flags must now use double-hyphen syntax (e.g. `--config`) even though the single-hyphen syntax (`-config`) was previously accepted. The standard library's flag parser treats `-` and `--` the same, but Cobra's does not. Our online documentation has always used `--` for flags, so we do not consider this a breaking change, but it's good to be aware of this change if you're used to how Go's parser works. Very many thanks to @mohammed90 for contributing these features! ### New `caddy respond` command (#4870) For rapid development needing a local HTTP server, the [`caddy respond` command](https://caddyserver.com/docs/command-line#caddy-respond) might be just what you need: hard-coded HTTP responses for one or more servers so that you can effortlessly have a custom HTTP endpoint to test with. A plain `caddy respond` command will listen on a random port and reply with HTTP 200. (The port or address is printed to the terminal for you.) You can set a custom status code like `caddy respond 401` or a custom body like `caddy respond "Hello world!"` -- or both: `caddy respond --status 401 "Hello world!"` Or you can pipe in a response body, for example serving a maintenance page: ```bash $ cat maintenance.html | caddy respond --status 503 --header "Content-Type: text/html; charset=utf-8" ``` You can even spin up multiple servers at once and use basic template features to configure each server with a different response: ```bash $ echo "I'm server {{.N}} on port {{.Port}}" | caddy respond --listen :2000-2004 Server address: [::]:2000 Server address: [::]:2001 Server address: [::]:2002 Server address: [::]:2003 Server address: [::]:2004 $ curl 127.0.0.1:2002 I'm server 2 on port 2002 ``` You can debug HTTP clients easier by enabling access logging with the `--access-log` flag. The `--header` flag can be used multiple times to set custom HTTP headers, and `--debug` enables debug mode for more verbose logging. We hope you find this feature useful! ### Multiple dynamic upstream sources (5fb5b81) In Caddy 2.5(.1) we introduced dynamic upstreams, which allow you to configure the `reverse_proxy` to get the list of backends on-the-fly during requests. This very popular feature's development was sponsored by Stripe, who we are thrilled to welcome as an enterprise sponsor. Stripe uses Caddy heavily for their internal systems, and for greater redundancy they need to be able to fail over to secondary upstreams if a primary cluster is down. This is where the new `multi` dynamic upstreams module comes in. Now you can configure, for example, two SRV lookups for aggregated results: ```json { "handler": "reverse_proxy", "dynamic_upstreams": { "source": "multi", "sources": [ { "source": "srv", "name": "primary" }, { "source": "srv", "name": "secondary" } ] } } ``` This appends the backends returned from the secondary SRV lookup to the results of the primary SRV lookup (order preserved). To implement failover, simply use the `first` load balancing policy which chooses the first available upstream. ### Configurable shutdown delay (#4906) A shutdown can now be scheduled for a later time using the `shutdown_delay` option. This is useful for giving advance notice to health checkers that this server will be closing soon. The shutdown delay happens _before_ the grace period where new connections are no longer accepted and existing ones are gracefully closed. During the shutdown delay, the server operates normally with the exception of the value of two placeholders. During the delay: - `{http.shutting_down}` placeholder equals `true`. - `{http.time_until_shutdown}` returns the duration that remains until server close. This allows health check endpoints to announce that they will soon be going down so that this instance can be moved out of the rotation or a replacement instance can be spun up in the meantime. For example: ``` { shutdown_delay 10s } example.com { handle /health-check { @goingDown `{http.shutting_down}` respond @goingDown "Bye-bye in {http.time_until_shutdown}" 503 respond 200 } } ``` By the way, the syntax of that `@goingDown` named matcher is new in 2.6: if a named matcher consists only of a CEL expression string, the type of matcher can be omitted; i.e. what you see above is equivalent to `@goingDown expression "{http.shutting_down} == true"`. (A shutdown is defined as a config unload where there is no new config to load, or the new config does not have a server configured at the same address as the current server. In other words, a shutdown of a server means a particular HTTP socket will be closed.) Speaking of grace periods, config changes no longer block while waiting on servers' grace periods. This means faster, more responsive config reloads; just beware that, depending on the length of your grace period, your reload command or config API request may return before the old servers have completely finished shutting down. ### Faster FastCGI transport (#4978) PHP apps, rejoice! The round-trip between Caddy and php-fpm just got a lot faster. Thanks to contributions by @WeidiDeng, the FastCGI transport has been rewritten to be more efficient. This is some of the oldest and most unique code in Caddy's code base. When Caddy was rewritten for v2 in 2019, _everything_ was rewritten or refactored... except this, the FastCGI transport. This is the first time this part of the code has been improved since it was first implemented[^3] in 2014! During tests, profiling showed the new code spends 86% less CPU time in GC (`gcDrain`) thanks to significantly fewer allocations. This is largely in part due to pooling buffers, which required a non-trivial refactoring to implement. ![CPU profile](https://user-images.githubusercontent.com/1128849/188224782-572c877d-42ea-4241-927f-346000512a75.png) A very rough benchmark using `php_info()` yielded a 25% increase in requests per second. Before the rewrite, Caddy almost always performed worse than nginx even with `fastcgi_keep_conn off`. Our new code performs competitively with nginx, and in some tests Caddy even outperformed nginx with `fastcgi_keep_conn on` -- and we have not implemented connection pooling/reuse into the new transport yet. Because every setup is different, your actual results will vary. In general though, you can expect busy servers to handle PHP faster. [^3]: I didn't know how to write a FastCGI client back then (I'm still too scared to do much with it myself); Go's standard library implements only the responder role, not the web server (client). Fortunately there was a [random repository on BitBucket](http://bitbucket.org/PinIdea/fcgi_client) that was forked from [a random repository on Google Code written in 2012](https://code.google.com/archive/p/go-fastcgi-client/) that modified the Go std lib's `fcgi` package. It was rough around the edges, but with a little TLC we got it to do what we needed. The copyright had the name Junqing Tan in it, which we still retain in our source code to this day. ### Faster file server (#5022) In a patch contributed by @flga, we've reduced copying between buffers and even eliminated it altogether in some cases using [`sendfile(2)`](https://man7.org/linux/man-pages/man2/sendfile.2.html). This has shown to have a 25-50% performance boost. It's automatic and no configuration is required to benefit. In [some tests](https://blog.tjll.net/reverse-proxy-hot-dog-eating-contest-caddy-vs-nginx/), Caddy's new defaults are even faster than optimized nginx. Static files over 512 bytes being served over plaintext HTTP sockets may now be served directly by the Linux kernel, which is much faster than copying the file to user-space. Static files are faster over HTTPS, too. In addition to sendfile (which we can't[^4] use over TLS), we now utilize the `io.ReaderFrom` interface to reuse existing buffers and further reduce copying within user space. Our tests show that this significantly enhances performance even over TLS. [^4]: This is possible with kTLS, but [the Go standard library doesn't support it](https://github.com/golang/go/issues/44506) and it's [a bit tedious](https://words.filippo.io/playing-with-kernel-tls-in-linux-4-13-and-go/) to make it work, although @FiloSottile was successful with his [spike code](https://github.com/FiloSottile/go/commit/dbed9972d9947eb0001e9f5b639e0df05acec8bd). ### Signed release assets Thanks to heroic efforts by @mohammed90, our [GitHub release](https://github.com/caddyserver/caddy/releases) assets are now signed and certified. Mohammed [wrote an excellent Twitter thread](https://twitter.com/MohammedSahaf/status/1572022375247663105) explaining the whole thing better than I can here! So if you're wondering why the number of assets shot from 28 to 134... that's why. Other notable enhancements -------------------------- - More efficient `query` matcher. (04a14ee37ac6192d734518fa9082d6eb93971bc6) - A new Caddyfile placeholder `{cookie.*}` grants easy access to cookie values. (#5001) - Windows service integration: Caddy can now be controlled with `sc.exe`. (#4790) - Replace `net.IP` type with leaner `netip.Addr` type. (#4966) - Caddyfile-configurable OCSP check interval with `ocsp_interval` global option. (#4980) - The reverse proxy now supports `retry_count` as an alternative to `try_duration`; i.e. try backends up to a fixed number of times, rather than up to a time limit. (#4756) - The reverse proxy closes both ends of "hijacked" connections when shutting down or reloading. (#4895) - The reverse proxy gracefully closes both ends of websocket connections on shutdown or reload. (#4895) - The reverse proxy emits metrics regarding the health of upstreams. (#4935) - The reverse-proxy command can accept repeated --to flags and load balance. (#4693) - The reverse proxy's HTTP transport now supports distinct read and write timeouts. (#4905) - Simpler and more reliable config reloads on Linux with SO_REUSEPORT. (#4705) - Templates can access reverse proxy responses if used within `handle_response`. (#4871) - Builds now include git revision information when using `go build`. (#4931) - The file matcher (and `try_files`) now supports glob patterns. (#4993) - Named matchers in the Caddyfile can use CEL expressions without specifying `expression` first. (#4976) - The FastCGI transport can now capture and print stderr output. (#5004) - Listeners can be provided by plugins, enabling new network types. (#5002) - Caddy can write TLS secrets to a file for debugging purposes. (#4808) - Sites declared as `http://` in the Caddyfile will no longer be overridden by auto-HTTPS redirects. (#5051) - Config reloads no longer block while the prior servers are shutting down. (#5043) ## :warning: Deprecations/breaks - **Metrics are now opt-in.** Due to [multiple confirmed reports](https://github.com/caddyserver/caddy/issues/4644) of non-trivial performance regressions with metrics, we are making them opt-in. (Technically, this is not a breaking change, as Caddy will still function normally and your old configs won't be rejected -- but your metrics will stop being produced unless you enable them.) If you rely on metrics, you can enable them globally in the Caddyfile with global options: ``` { servers { metrics } } ``` As with other server-scoped global options, you can selectively customize which servers to enable metrics (e.g. `servers :8080`). _Note that this change is experimental and might be temporary: if we can reduce the performance impact or find a better way to enable and configure metrics, this could change._ - The signature of `caddy.Context.Logger()` has changed, but in a backwards-compatible way. Modules use this function to obtain a logger they can use within Caddy; until now, modules had to pass themselves in as an argument. Now, the context can figure out which module to associate the logger with, so the sole parameter has been made variadic. It may be removed in the future. Plugins should update their code to not pass in a pointer to themselves. - Basic auth deprecates `scrypt` because it was seldom used and error-prone; use `bcrypt` instead (#4720) - Several changes to experimental `servers` global options: removed the `protocol` sub-option, which has been replaced with the `protocols` sub-option; `strict_sni_host` is its own separate sub-option; `allow_h2c` and `experimental_http3` have been removed, as both H2C (`h2c`) and HTTP/3 (`h3`) can be toggled in `protocols` (HTTP/3 is now enabled by default and no longer experimental). As a reminder, features, parameters, and APIs marked as experimental are subject to change or removal. We strive to keep breaking changes of stable features to a minimum and gracefully deprecate whenever possible with emphasis in release notes, warnings in logs, etc. Most breaking changes are motivated or necessitated by bugs/regressions, security, or wrong/unclear documentation. Thank you --------- As usual, a huge thank-you to all our [sponsors](https://github.com/sponsors/mholt) and those who contributed both code and feedback. We also acknowledge the many people who participated in discussions and helped others on the forum. Thank you! ## New Contributors * @WingLim made their first contribution in https://github.com/caddyserver/caddy/pull/4790 * @WilczynskiT made their first contribution in https://github.com/caddyserver/caddy/pull/4930 * @chir4gm made their first contribution in https://github.com/caddyserver/caddy/pull/4932 * @lewandowski-stripe made their first contribution in https://github.com/caddyserver/caddy/pull/4937 * @abdusco made their first contribution in https://github.com/caddyserver/caddy/pull/4963 * @jedy made their first contribution in https://github.com/caddyserver/caddy/pull/4975 * @benburkert made their first contribution in https://github.com/caddyserver/caddy/pull/4980 * @WeidiDeng made their first contribution in https://github.com/caddyserver/caddy/pull/4964 * @david-szabo97 made their first contribution in https://github.com/caddyserver/caddy/pull/4935 * @Abirdcfly made their first contribution in https://github.com/caddyserver/caddy/pull/4986 * @flga made their first contribution in https://github.com/caddyserver/caddy/pull/5004 * @Malankar made their first contribution in https://github.com/caddyserver/caddy/pull/4972 * @stapelberg made their first contribution in https://github.com/caddyserver/caddy/pull/4950 * @parrotmac made their first contribution in https://github.com/caddyserver/caddy/pull/4693 * @Manouchehri made their first contribution in https://github.com/caddyserver/caddy/pull/4808 **Full Changelog**: https://github.com/caddyserver/caddy/compare/v2.5.2...v2.6.0 ---

caddy v2.6.1

2022-09-21T22:21:28+00:00

Hotfix for unix sockets, the `encode` handler, and the `caddy file-server` command. Please see [the release notes for v2.6.0](https://github.com/caddyserver/caddy/releases/tag/v2.6.0) for other important information if you're coming from < 2.6! ## Changelog * 1426c97d core: Reuse unix sockets (UDS) and don't try to serve HTTP/3 over UDS (#5063) * 44ad0ced encode: don't WriteHeader unless called (#5060) * beb7dcbf fileserver: Reinstate --debug flag

caddy v2.6.2

2022-10-13T18:44:05+00:00

This release brings a number of bug fixes and minor enhancements. All users should upgrade after testing and verifying their setups. Thank you to all who contributed! If you are coming from < 2.6, please see [the 2.6 release notes](https://github.com/caddyserver/caddy/releases/tag/v2.6.0) because a lot is new! ## Changelog * 037dc23c admin: Use replacer on listen addresses (#5071) * 498f32ba caddyconfig: Implement retries into HTTPLoader (#5077) * 9873ff99 caddyhttp: Remote IP prefix placeholders * 61822f12 caddyhttp: replace placeholders in map defaults (#5081) * e07a2672 caddytest: Revise sleep durations * 253d97c9 core: Chdir to executable location on Windows (#5115) * ab720fb7 core: Fix ListenQUIC listener key conflict * e3e8aabb core: Refactor and improve listener logic (#5089) * e4fac129 core: Set version manually via CustomVersion (#5072) * f7c1a51e fastcgi: Redirect using original URI path (fix #5073) * 2be56c52 fileserver: Treat invalid file path as NotFound (#5099) * b1d04f5b fileserver: better dark mode visited link contrast (#5105) * 33f60da9 fileserver: stop listing dir when request context is cancelled (#5131) * 2153a81e forwardauth: Canonicalize header fields (fix #5038) (#5097) * fe91de67 go.mod: Upgrade select dependencies * 70419700 headers: Support repeated WriteHeader if 1xx (fix #5074) * d46ba2e2 httpcaddyfile: Fix `metrics` global option parsing (#5126) * 6bad878a httpcaddyfile: Improve detection of indistinguishable TLS automation policies (#5120) * 2808de1e httpcaddyfile: Skip `automate` when `auto_https off` is specified (#5110) * 3e1fd2a8 httpcaddyfile: Wrap site block in subroute if host matcher used (#5130) * 9e1d964b logging: Add `time_local` option to use local time instead of UTC (#5108) * 01e192ed logging: Better `console` encoder defaults (#5109) * 99ffe933 logging: Fix `skip_hosts` with wildcards (#5102) * ea58d519 logging: Perform filtering on arrays of strings (where possible) (#5101) * 5e52bbb1 map: Remove infinite recursion check (#5094) * b4e28af9 replacer: working directory global placeholder (#5127) * e2991eb0 reverseproxy: On 103 don't delete own headers (#5091) * 2a8c458f reverseproxy: Parse humanized byte size (fix #5095) * d0556929 reverseproxy: fix upstream scheme handling in command (#5088) * 013b5103 rewrite: Only trim prefix if matched ## New Contributors * @lemmi made their first contribution in https://github.com/caddyserver/caddy/pull/5088 * @willnorris made their first contribution in https://github.com/caddyserver/caddy/pull/5081 * @yroc92 made their first contribution in https://github.com/caddyserver/caddy/pull/5071 * @iliana made their first contribution in https://github.com/caddyserver/caddy/pull/5105 * @TobiX made their first contribution in https://github.com/caddyserver/caddy/pull/5106 * @likev made their first contribution in https://github.com/caddyserver/caddy/pull/5099 * @cherouvim made their first contribution in https://github.com/caddyserver/caddy/pull/5121 **Full Changelog**: https://github.com/caddyserver/caddy/compare/v2.6.1...v2.6.2

caddy v2.6.3

2023-02-08T19:51:59+00:00

This release brings a number of bug fixes and minor features. We recommend that all users check the release notes/commits, then test and upgrade. Notable changes: - New `trusted_proxies` global option (within `servers`) can be used to specify trusted proxy IP ranges globally. This is important if relying on headers for client IP addresses. - Unix sockets on Windows now supported as proxy upstreams. - Proxied WebSocket connections are now logged with correct status code and "size" (bytes read + bytes written). - The [quic-go](https://github.com/quic-go/quic-go) package has received significant optimizations, so HTTP/3 should be more efficient now. Thank you to everyone who contributed to this release! ## Changelog * bfaf2a82 acme_server: Configurable default lifetime for issued certificates (#5232) * ac83b7e2 admin: Add `CADDY_ADMIN` env var to override the default (#5332) * ac96455a admin: fix certificate renewal for admin (#5169) * 762b0278 admin: set certmagic cache logger (#5173) * 329af5ce build(deps): bump actions/cache from 2 to 3 (#5263) * 3b724a20 build(deps): bump actions/upload-artifact from 1 to 3 (#5262) * af93517c build(deps): bump goreleaser/goreleaser-action from 2 to 4 (#5264) * cd49847e build(deps): bump peter-evans/repository-dispatch from 1 to 2 (#5261) * 8d3a1b8b caddyauth: Use singleflight for basic auth (#5344) * bbe36631 caddyconfig: Fix httploader leak from unused responses (#5159) * 7f2a93e6 caddyfile: Allow overriding server names (#5323) * 223cbe3d caddyhttp: Add server-level `trusted_proxies` config (#5103) * 087f126c caddyhttp: Canonicalize header field names (#5176) * 12bcbe2c caddyhttp: Pluggable trusted proxy IP range sources (#5328) * ed503118 caddyhttp: add placeholder {http.request.orig_uri.path.*} (#5161) * 33fdea8f caddypki: Prefer user-configured root instead of generating new one (#5189) * 6f8fe01d caddypki: Use go.step.sm/crypto to generate the PKI (#5217) * 1fa4cb7b caddytest: Increased sleep between retries to reduce flakey tests in CI (#5160) * fef9cb3e caddytest: internalize init config into '.go' file (#5230) * 55035d32 caddytls: Add `dns_ttl` config, improve Caddyfile `tls` options (#5287) * 66ce0c5c caddytls: Add test cases for Caddyfile `tls` options (#5293) * 0a3efd16 caddytls: Debug log for ask endpoint * 94b8d560 cmd: Add `--envfile` flag to `validate` command (#5350) * a999b707 cmd: Add missing `\n` to HelpTemplate (#5151) * c3b5b181 cmd: Avoid panic when printing version without build info (#5210) * 5805b3ca cmd: `caddy fmt` return code is 1 if not formatted (#5297) * 8c0b49bf cmd: `fmt` exit successfully after overwriting config file (#5351) * f20a8e7a cmd: replace deprecate func use (#5170) * 536c28d4 core: Support Windows absolute paths for UDS proxy upstreams (#5114) * dac7cacd encode: Respect Cache-Control no-transform (#5257) * 4e9ad50f fileserver: Add a couple test cases * 4bf6cb41 fileserver: Reject ADS and short name paths; trim trailing dots and spaces on Windows (#5148) * a3ae146c fileserver: Reject non-GET/HEAD requests (close #5166) (#5167) * e8ad9b32 go.mod: Update golang.org/x/net to v0.5.0 (#5314) * fac35db9 go.mod: Update quic-go to v0.31.0 * 798c4a3b go.mod: Upgrade some dependencies * 90798f3e go.mod: Upgrade various dependencies (#5362) * 98867ac3 go.mod: bump tscert package to fix Tailscale 1.34+ on Windows (#5331) * d73660f7 httpcaddyfile: Add persist_config global option (#5339) * c38a040e httpcaddyfile: Fix `handle` grouping inside `route` (#5315) * d6d75116 httpcaddyfile: Warn on importing empty file; skip dotfiles (#5320) * 817470dd httploader: Close resp body on bad status code * 72e7edda map: Clarified how destination values should be formatted (#5156) * e9d95ab2 reverseproxy: Add flag to short command to disable redirects (#5330) * e450a737 reverseproxy: Don't enable auto-https when `--from` flag is http (#5269) * 845bc4d5 reverseproxy: Fix hanging for Transfer-Encoding: chunked (#5289) * d4a7d89f reverseproxy: Improve hostByHashing distribution (#5229) * c77a6bea reverseproxy: Log status code and byte count for websockets (#5140) * ee7c92ec reverseproxy: Mask the WS close message when we're the client (#5199) * d74f6fd9 reverseproxy: Set origreq in active health check (#5284) * 96231020 tracing: Support placeholders in span name (#5329)

caddy v2.6.4

2023-02-14T20:01:49+00:00

This release contains a hotfix for a regression in v2.6.3 related to proxying chunked requests. We recommend that all users who do so upgrade to v2.6.4. Note that, in an effort to make error-prone configs less likely, we have deprecated the reverse proxy options: - `buffer_requests` - `buffer_responses` - `max_buffer_size` and have introduced 2 new ones which take a size argument to enable buffering: - `request_buffers ` - `response_buffers ` The deprecated options will be removed in a later version of Caddy, so please start using the new parameters instead. ## Changelog * 0db29e2c go.mod: Upgrade acmez and x/net * 4b119a47 reverseproxy: Don't buffer chunked requests (fix #5366) (#5367)

caddy v2.7.0-beta.1

2023-05-16T17:22:16+00:00

This is our first beta release of Caddy 2.7! Please try it out before we tag the stable release. ## Highlights - :warning: The `ask` endpoint is now required to enable On-Demand TLS (b97c76fb4789b8da0b80f5a2c1c1c5bebba163b5) for catch-all or wildcard hosts. Our docs have always mentioned this is required in production environments, but now the code enforces it. The `ask` endpoint is not required for local-only or internal-only names (#5384 and a7af7c486e5240da974e02b7dfee9d265aaa654a). - New default template for the file server's "browse" listings - more modern, easier to use, grid view, filetype-specific icons, and better dark mode (see #5427 for more screenshots and info) ![list view](https://user-images.githubusercontent.com/1128849/224117088-886bf9e5-6c48-47b8-9863-fbaa5a984327.png) ![grid view](https://user-images.githubusercontent.com/1128849/224121253-43db1e17-a958-4cb7-80a3-777d4127adcf.png) - Reverse proxy now supports the PROXY protocol (#5424) - Caddyfile import arg placeholders support slice syntax, e.g. `{args[2:]}` (#5249) - Experimental new short flags for the CLI. (#5379) - HTTP/3 performance improvements (upstream in quic-go) including enabling 0-RTT. - Caddyfile now supports Heredoc syntax for long embedded strings/documents. (#5385) - @francislavoie implemented a suite of enhancements to bring you more reliable, trustworthy client IP information, even through proxies and CDNs (#5104) - :warning: The long-deprecated `lookup_srv` feature of the reverse proxy has been removed. It was replaced with the [dynamic upstreams feature in 2.6](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#dynamic-upstreams). (#5396) - Customizable "fallback" policy for reverse proxy in case the primary policy isn't applicable (#5488) - EXPERIMENTAL: Define "named routes" to reuse them without copying. Caddyfile snippets are useful for reusing config, but reusing the same HTTP routes involves lots of copied config and memory bloat. Named routes let you define a route once and reuse it throughout your HTTP server without copying. It is available for JSON and Caddyfile configs. (#5107) - Many many bug fixes you may or may not notice :upside_down_face: Thank you to everyone who contributed! And thank you to our [sponsors](https://github.com/sponsors/mholt) who truly make this project possible. ## New Contributors * @esell made their first contribution in https://github.com/caddyserver/caddy/pull/5417 * @krak3n made their first contribution in https://github.com/caddyserver/caddy/pull/5147 * @trea made their first contribution in https://github.com/caddyserver/caddy/pull/5435 * @heimoshuiyu made their first contribution in https://github.com/caddyserver/caddy/pull/5464 * @gucki made their first contribution in https://github.com/caddyserver/caddy/pull/5424 * @kidonng made their first contribution in https://github.com/caddyserver/caddy/pull/5475 * @taophp made their first contribution in https://github.com/caddyserver/caddy/pull/5497 * @eanavitarte made their first contribution in https://github.com/caddyserver/caddy/pull/5515 * @jonatan5524 made their first contribution in https://github.com/caddyserver/caddy/pull/5521 * @jjiang-stripe made their first contribution in https://github.com/caddyserver/caddy/pull/5531 * @TP-O made their first contribution in https://github.com/caddyserver/caddy/pull/5504 **Full Changelog**: https://github.com/caddyserver/caddy/compare/v2.6.4...v2.7.0-beta.1 ## Changelog * 3f20a7c9 acmeserver: Configurable `resolvers`, fix smallstep deprecations (#5500) * b1366c7e build(deps): bump actions/setup-go from 3 to 4 (#5474) * f3379f65 caddyfile: Fix heredoc fuzz crasher, drop trailing newline (#5404) * 960150bb caddyfile: Implement heredoc support (#5385) * 8bc05e59 caddyfile: Implement variadics for import args placeholders (#5249) * 53b6fab1 caddyfile: Stricter parsing, error for brace on new line (#5505) * cfc85ae8 caddyhttp: Add a getter for Server.name (#5531) * 05e99745 caddyhttp: Determine real client IP if trusted proxies configured (#5104) * c05e3898 caddyhttp: Enable 0-RTT QUIC (#5425) * 85375861 caddyhttp: Fix `vars_regexp` matcher with placeholders (#5408) * 1c9ea011 caddyhttp: Impl `ResponseWriter.Unwrap()`, prep for Go 1.20's `ResponseController` (#5509) * cbf16f6d caddyhttp: Implement named routes, `invoke` directive (#5107) * 2b3046de caddyhttp: Log request body bytes read (#5461) * 96919acc caddyhttp: Refactor cert Managers (fix #5415) (#5533) * d8d87a37 caddyhttp: Serve http2 when listener wrapper doesn't return *tls.Conn (#4929) * 808b05c3 caddyhttp: Update quic's TLS configs after reload (#5517) (fix #4849) * a7af7c48 caddytls: Allow on-demand w/o ask for internal-only * a02ecb0f caddytls: Check for nil ALPN; close #5470 (#5473) * faf0399e caddytls: Configurable fallback SNI (#5527) * e16a8868 caddytls: Eval replacer on automation policy subjects (#5459) * be53e432 caddytls: Relax the warning for on-demand (#5384) * b97c76fb caddytls: Require 'ask' endpoint for on-demand TLS * 0cc49c05 caddytls: Zero out throttle window first (#5443) * b301a3df celmatcher: Implement `pkix.Name` conversion to string (#5492) * 096971e3 ci/cd: ship tarballs with vendored deps (#5403) * 5ded5804 cmd: Adjust documentation for commands (#5377) * 508cf2aa cmd: Create pidfile before config load (close #5477) * 9e691955 cmd: Expand cobra support, add short flags (#5379) * 5ebb7d49 cmd: Reduce spammy logs from --watch * 79de6df9 cmd: Strict unmarshal for validate (#5383) * 205b1426 cmd: Support `'` quotes in envfile parsing (#5437) * bf54892a cmd: make `caddy fmt` hints more clear (#5378) * f6bab8ba context: Rename func to `AppIfConfigured` (#5397) * 99d47050 core: Eliminate unnecessary shutdown delay on Unix (#5413) * c6ac350a core: Return default logger if no modules loaded * b3f0cea2 encode: flush status code when hijacked. (#5419) * c8032867 fastcgi: Fix `capture_stderr` (#5515) * 571fc034 feature: watch include directory (#5521) * f9bd2d3e fileserver: Add color-scheme meta tag (#5475) * 6cc3cbbc fileserver: New file browse template (#5427) * 94d41a9d fileserver: Remove trailing slash on fs filenames (#5417) * 52d7335c fileserver: Use EscapedPath for browse (#5534) * 1af419e7 go.mod: Update some dependencies * 774f2288 go.mod: Upgrade CertMagic * 0de6064c go.mod: Upgrade CertMagic again * 9e943319 go.mod: Upgrade dependencies * 8cb1bb4a go.mod: Upgrade quic-go to v0.33.0 (Go 1.19 min) * 36546cd8 go.mod: Upgrade several dependencies * e8352aef headers: Add > Caddyfile shortcut for enabling defer (#5535) * dd86171d headers: Support deleting all headers as first op (#5464) * 330be2d8 httpcaddyfile: Adjust path matcher sorting to solve for specificity (#5462) * 1aef807c log: Make sink logs encodable (#5441) * cdce452e logging: Actually honor the SoftStart parameter * f0e39817 logging: Add traceID field to access logs when tracing is active (#5507) * f3e8b9d9 logging: Soft start for net writer (close #5520) * b6fe5d4b proxyprotocol: Add PROXY protocol support to `reverse_proxy`, add HTTP listener wrapper (#5424) * f5a13a4a replacer: Add HTTP time format (#5458) * 48598e1f reverseproxy: Add `fallback` for some policies, instead of always random (#5488) * f8b59e77 reverseproxy: Add `query` and `client_ip_hash` lb policies (#5468) * 66e571e6 reverseproxy: Add mention of which half a copyBuffer err comes from (#5472) * 75b690d2 reverseproxy: Expand port ranges to multiple upstreams in CLI + Caddyfile (#5494) * 335cd2e8 reverseproxy: Fix active health check header canonicalization, refactor (#5446) * 2b04e09f reverseproxy: Fix reinitialize upstream healthy metrics (#5498) * 10b265d2 reverseproxy: Header up/down support for CLI command (#5460) * b19946f6 reverseproxy: Optimize base case for least_conn and random_choose policies (#5487) * 4636109c reverseproxy: Remove deprecated `lookup_srv` (#5396) * 2182270a reverseproxy: Reset Content-Length to prevent FastCGI from hanging (#5435) * 941eae5f reverseproxy: allow specifying ip version for dynamic `a` upstream (#5401) * e3909cc3 reverseproxy: refactor HTTP transport layer (#5369) * 13a37688 rewrite: use escaped path, fix #5278 (#5504) * 2943c418 templates: Add `fileStat` function (#5497) * b4205617 tracing: Support autoprop from OTEL_PROPAGATORS (#5147)

caddy v2.7.0-beta.2

2023-06-22T01:03:20+00:00

This is our second and hopefully final beta release of Caddy 2.7! Please try it out before we tag the stable release. Big thank you to everyone who contributed! You're awesome. ## Highlights - :warning: The `ask` endpoint is now required to enable On-Demand TLS (b97c76fb4789b8da0b80f5a2c1c1c5bebba163b5) for catch-all or wildcard hosts. Our docs have always mentioned this is required in production environments, but now the code enforces it. The `ask` endpoint is not required for local-only or internal-only names (#5384 and a7af7c486e5240da974e02b7dfee9d265aaa654a). - New default template for the file server's "browse" listings - more modern, easier to use, grid view, filetype-specific icons, and better dark mode (see #5427 for more screenshots and info) ![list view](https://user-images.githubusercontent.com/1128849/224117088-886bf9e5-6c48-47b8-9863-fbaa5a984327.png) ![grid view](https://user-images.githubusercontent.com/1128849/224121253-43db1e17-a958-4cb7-80a3-777d4127adcf.png) - Reverse proxy now supports the PROXY protocol (#5424) - Caddyfile import arg placeholders support slice syntax, e.g. `{args[2:]}` (#5249) - Experimental new short flags for the CLI. (#5379) - HTTP/3 performance improvements (upstream in quic-go) including enabling 0-RTT and using GSO. Caddy users should notice significantly better throughput for HTTP/3. Thanks for the fantastic work, @marten-seeman! - Caddyfile now supports Heredoc syntax for long embedded strings/documents. (#5385) - @francislavoie implemented a suite of enhancements to bring you more reliable, trustworthy client IP information, even through proxies and CDNs (#5104) - Certificate private keys will no longer be reused when renewing certificates. - :warning: The long-deprecated `lookup_srv` feature of the reverse proxy has been removed. It was replaced with the [dynamic upstreams feature in 2.6](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#dynamic-upstreams). (#5396) - :warning: The `remote_ip forwarded` matcher has been deprecated because it assumes trusting downstream proxies. Instead, the `client_ip` matcher should be used along with `trusted_proxies` configuration. (#5103 and #5104) - Customizable "fallback" policy for reverse proxy in case the primary policy isn't applicable (#5488) - Etags are generated more sensibly for NixOS environments which all have Modified time of 1; and if you set your own Etag, it will not be overwritten. - EXPERIMENTAL: The reverse proxy may be configured to keep WebSockets open through config reloads. (#5567) - EXPERIMENTAL: Define "named routes" to reuse them without copying. Caddyfile snippets are useful for reusing config, but reusing the same HTTP routes involves lots of copied config and memory bloat. Named routes let you define a route once and reuse it throughout your HTTP server without copying. It is available for JSON and Caddyfile configs. (#5107) - Many many bug fixes you may or may not notice :upside_down_face: Thank you to everyone who contributed! And thank you to our [sponsors](https://github.com/sponsors/mholt) who truly make this project possible. ## New Contributors * @esell made their first contribution in https://github.com/caddyserver/caddy/pull/5417 * @krak3n made their first contribution in https://github.com/caddyserver/caddy/pull/5147 * @trea made their first contribution in https://github.com/caddyserver/caddy/pull/5435 * @heimoshuiyu made their first contribution in https://github.com/caddyserver/caddy/pull/5464 * @gucki made their first contribution in https://github.com/caddyserver/caddy/pull/5424 * @kidonng made their first contribution in https://github.com/caddyserver/caddy/pull/5475 * @taophp made their first contribution in https://github.com/caddyserver/caddy/pull/5497 * @eanavitarte made their first contribution in https://github.com/caddyserver/caddy/pull/5515 * @jonatan5524 made their first contribution in https://github.com/caddyserver/caddy/pull/5521 * @jjiang-stripe made their first contribution in https://github.com/caddyserver/caddy/pull/5531 * @TP-O made their first contribution in https://github.com/caddyserver/caddy/pull/5504 * @pistasjis made their first contribution in https://github.com/caddyserver/caddy/pull/5536 * @charles-dyfis-net made their first contribution in https://github.com/caddyserver/caddy/pull/5547 * @jpds made their first contribution in https://github.com/caddyserver/caddy/pull/5554 * @kassienull made their first contribution in https://github.com/caddyserver/caddy/pull/5553 * @Phrynobatrachus made their first contribution in https://github.com/caddyserver/caddy/pull/5532 * @365cent made their first contribution in https://github.com/caddyserver/caddy/pull/5564 * @oncilla made their first contribution in https://github.com/caddyserver/caddy/pull/5573 * @testwill made their first contribution in https://github.com/caddyserver/caddy/pull/5576 * @mmm444 made their first contribution in https://github.com/caddyserver/caddy/pull/5567 * @sabify made their first contribution in https://github.com/caddyserver/caddy/pull/5579 * @omerdemirok made their first contribution in https://github.com/caddyserver/caddy/pull/5586 **Full Changelog**: https://github.com/caddyserver/caddy/compare/v2.6.4...v2.7.0-beta.2 ## Changelog * 3f20a7c9 acmeserver: Configurable `resolvers`, fix smallstep deprecations (#5500) * b1366c7e build(deps): bump actions/setup-go from 3 to 4 (#5474) * f3379f65 caddyfile: Fix heredoc fuzz crasher, drop trailing newline (#5404) * 960150bb caddyfile: Implement heredoc support (#5385) * 8bc05e59 caddyfile: Implement variadics for import args placeholders (#5249) * 53b6fab1 caddyfile: Stricter parsing, error for brace on new line (#5505) * cee4441c caddyfile: Do not replace import tokens if they are part of a snippet (#5539) * 9cde7155 caddyfile: Track import name instead of modifying filename (#5540) * cfc85ae8 caddyhttp: Add a getter for Server.name (#5531) * 05e99745 caddyhttp: Determine real client IP if trusted proxies configured (#5104) * c05e3898 caddyhttp: Enable 0-RTT QUIC (#5425) * 85375861 caddyhttp: Fix `vars_regexp` matcher with placeholders (#5408) * 1c9ea011 caddyhttp: Impl `ResponseWriter.Unwrap()`, prep for Go 1.20's `ResponseController` (#5509) * cbf16f6d caddyhttp: Implement named routes, `invoke` directive (#5107) * 2b3046de caddyhttp: Log request body bytes read (#5461) * 96919acc caddyhttp: Refactor cert Managers (fix #5415) (#5533) * d8d87a37 caddyhttp: Serve http2 when listener wrapper doesn't return *tls.Conn (#4929) * 808b05c3 caddyhttp: Update quic's TLS configs after reload (#5517) (fix #4849) * 29452647 caddyhttp: Fix h3 shutdown (#5541) * 6a41b62e caddyhttp: Support custom network for HTTP/3 (#5573) * a7af7c48 caddytls: Allow on-demand w/o ask for internal-only * a02ecb0f caddytls: Check for nil ALPN; close #5470 (#5473) * faf0399e caddytls: Configurable fallback SNI (#5527) * e16a8868 caddytls: Eval replacer on automation policy subjects (#5459) * be53e432 caddytls: Relax the warning for on-demand (#5384) * b97c76fb caddytls: Require 'ask' endpoint for on-demand TLS * 0cc49c05 caddytls: Zero out throttle window first (#5443) * 4ba03c9d caddytls: Clarify some JSON config docs * b301a3df celmatcher: Implement `pkix.Name` conversion to string (#5492) * 096971e3 ci/cd: ship tarballs with vendored deps (#5403) * 5ded5804 cmd: Adjust documentation for commands (#5377) * 508cf2aa cmd: Create pidfile before config load (close #5477) * 9e691955 cmd: Expand cobra support, add short flags (#5379) * 5ebb7d49 cmd: Reduce spammy logs from --watch * 79de6df9 cmd: Strict unmarshal for validate (#5383) * 205b1426 cmd: Support `'` quotes in envfile parsing (#5437) * bf54892a cmd: make `caddy fmt` hints more clear (#5378) * 38cb587e cmd: Avoid spammy log messages (fix #5538) * 078f130a cmd: Implement storage import/export (#5532) * f6bab8ba context: Rename func to `AppIfConfigured` (#5397) * 806341e0 core: Properly preserve unix sockets (fix #5568) * 942fbb37 core: Use SO_REUSEPORT_LB on FreeBSD (#5554) * 99d47050 core: Eliminate unnecessary shutdown delay on Unix (#5413) * c6ac350a core: Return default logger if no modules loaded * b3f0cea2 encode: flush status code when hijacked. (#5419) * c8032867 fastcgi: Fix `capture_stderr` (#5515) * 571fc034 feature: watch include directory (#5521) * f9bd2d3e fileserver: Add color-scheme meta tag (#5475) * 6cc3cbbc fileserver: New file browse template (#5427) * 94d41a9d fileserver: Remove trailing slash on fs filenames (#5417) * 52d7335c fileserver: Use EscapedPath for browse (#5534) * 5bd9c490 fileserver: Don't set Etag if mtime is 0 or 1 (close #5548) (#5550) * 5336bc0f fileserver: Fix file browser breadcrumb font (#5543) * 2d236ead fileserver: Fix file browser footer in grid mode (#5536) * bd34cb6b fileserver: More filetypes for browse icons * 2615c9c5 fileserver: Only set Etag if not already set (fix #5546) (#5547) * 56af1ceb fileserver: browse: Better grid layout (#5564) * cdd3884b fileserver: browse: minor tweaks for grid view, dark mode (#5545) * 1af419e7 go.mod: Update some dependencies * 774f2288 go.mod: Upgrade CertMagic * 0de6064c go.mod: Upgrade CertMagic again * 9e943319 go.mod: Upgrade dependencies * 8cb1bb4a go.mod: Upgrade quic-go to v0.33.0 (Go 1.19 min) * 36546cd8 go.mod: Upgrade several dependencies * 398c12ae go.mod: Update quic-go to v0.36.0 (#5584) * 0468508e go.mod: Upgrade CertMagic for hotfix * 9c180a59 go.mod: Upgrade quic-go to 0.35.1 * 415d1e7b go.mod: Upgrade some dependencies * e8352aef headers: Add > Caddyfile shortcut for enabling defer (#5535) * dd86171d headers: Support deleting all headers as first op (#5464) * 3b19aa2b headers: Allow `>` to defer shortcut for replacements (#5574) * 330be2d8 httpcaddyfile: Adjust path matcher sorting to solve for specificity (#5462) * ca14b6ed httpcaddyfile: Sort Caddyfile slice * 1aef807c log: Make sink logs encodable (#5441) * cdce452e logging: Actually honor the SoftStart parameter * f0e39817 logging: Add traceID field to access logs when tracing is active (#5507) * f3e8b9d9 logging: Soft start for net writer (close #5520) * b6fe5d4b proxyprotocol: Add PROXY protocol support to `reverse_proxy`, add HTTP listener wrapper (#5424) * f5a13a4a replacer: Add HTTP time format (#5458) * 48598e1f reverseproxy: Add `fallback` for some policies, instead of always random (#5488) * f8b59e77 reverseproxy: Add `query` and `client_ip_hash` lb policies (#5468) * 66e571e6 reverseproxy: Add mention of which half a copyBuffer err comes from (#5472) * 75b690d2 reverseproxy: Expand port ranges to multiple upstreams in CLI + Caddyfile (#5494) * 335cd2e8 reverseproxy: Fix active health check header canonicalization, refactor (#5446) * 2b04e09f reverseproxy: Fix reinitialize upstream healthy metrics (#5498) * 10b265d2 reverseproxy: Header up/down support for CLI command (#5460) * b19946f6 reverseproxy: Optimize base case for least_conn and random_choose policies (#5487) * 4636109c reverseproxy: Remove deprecated `lookup_srv` (#5396) * 2182270a reverseproxy: Reset Content-Length to prevent FastCGI from hanging (#5435) * 941eae5f reverseproxy: allow specifying ip version for dynamic `a` upstream (#5401) * e3909cc3 reverseproxy: refactor HTTP transport layer (#5369) * 424ae0f4 reverseproxy: Experimental streaming timeouts (#5567) * 2ddb7171 reverseproxy: Fix parsing of source IP in case it's an ipv6 address (#5569) * 361946eb reverseproxy: weighted_round_robin load balancing policy (#5579) * 13a37688 rewrite: use escaped path, fix #5278 (#5504) * 2943c418 templates: Add `fileStat` function (#5497) * 31d75acc templates: Add `readFile` action that does not evaluate templates (#5553) * b4205617 tracing: Support autoprop from OTEL_PROPAGATORS (#5147)

caddy v2.7.0

2023-08-02T21:01:17+00:00

Do not use this release, use [v2.7.3](https://github.com/caddyserver/caddy/releases/tag/v2.7.3) instead which contains hot fixes.

caddy v2.7.1

2023-08-03T01:17:47+00:00

Do not use this release; use [v2.7.3](https://github.com/caddyserver/caddy/releases/tag/v2.7.3) instead. It contains a hotfix for a WebSocket issue.

caddy v2.7.2

2023-08-03T04:43:42+00:00

Do not use this release, use [v2.7.3](https://github.com/caddyserver/caddy/releases/tag/v2.7.3) instead which contains several hot fixes.

caddy v2.7.3

2023-08-06T00:49:45+00:00

We're pleased to present Caddy 2.7, which makes significant strides in areas of scaling, performance, and niche features. Special thank-you to @francislavoie, @Mohammed90, and other core team members for the ongoing dedication of their time to help maintain the project and help in our forums. And a big thank-you to everyone else who contributed! You're awesome, and we're glad this project has so many contributors and [sponsors](https://github.com/sponsors/mholt) to make it possible. Docs are being updated and will be pushed live shortly. Thank you for your patience and for using Caddy! _(Note: Versions 2.7.0-2.7.2 contain bugs that were hotfixed within minutes and hours and a day of the release. Thank you to everyone who helped with that! And sorry for the trouble, we have learned lessons to help mitigate that in the future.)_ ## Highlights - The in-memory TLS certificate cache is no longer purged and recreated during config reloads, making reloads extremely lightweight even when managing thousands of certificates. - Significant HTTP/3 performance improvements (upstream in quic-go) including enabling 0-RTT. Caddy users should notice significantly better throughput for HTTP/3. Thanks for the fantastic work, @marten-seemann! - New default template for the file server's "browse" listings - more modern, easier to use, grid view, filetype-specific icons, and better dark mode (see #5427 for more screenshots and info) ![list view](https://user-images.githubusercontent.com/1128849/224117088-886bf9e5-6c48-47b8-9863-fbaa5a984327.png) ![grid view](https://user-images.githubusercontent.com/1128849/224121253-43db1e17-a958-4cb7-80a3-777d4127adcf.png) - The reverse proxy now supports the PROXY protocol. Using external modules is no longer required; specifically, the plugin by @mastercactapus is now built-in. (#5424) - Caddyfile now supports Heredoc syntax for long embedded strings/documents. (#5385) - @francislavoie implemented a suite of enhancements to bring you more reliable, trustworthy client IP information, even through proxies and CDNs (#5104) - Certificate private keys will no longer be reused when renewing certificates. - Caddyfile import arg placeholders support slice syntax, e.g. `{args[2:]}` (#5249) - Customizable "fallback" policy for reverse proxy in case the primary policy isn't applicable. (#5488) - Etags are generated more sensibly for NixOS environments which all have Modified time of 1; and if you set your own Etag, it will not be overwritten. - EXPERIMENTAL: New short flags for the CLI. (#5379) - EXPERIMENTAL: The reverse proxy may be configured to keep hijacked connections (streams, WebSockets, etc.) open through config reloads. (#5567) - EXPERIMENTAL: Define "named routes" to reuse them without copying. Caddyfile snippets are useful for reusing config, but reusing the same HTTP routes involves lots of copied config and memory bloat. Named routes let you define a route once and reuse it throughout your HTTP server without copying. It is available for JSON and Caddyfile configs. (#5107) - EXPERIMENTAL: You can specify permissions for unix sockets. (#4741) - Many many bug fixes you may or may not notice :upside_down_face: Deprecations and possible breaking changes for some: - :warning: The `ask` endpoint is now **required** to enable On-Demand TLS (b97c76fb4789b8da0b80f5a2c1c1c5bebba163b5) for catch-all or wildcard hosts. Our docs have always mentioned this is required in production environments, but now the code enforces it. The `ask` endpoint is not required for local-only or internal-only names (#5384 and a7af7c486e5240da974e02b7dfee9d265aaa654a). - :warning: The on-demand config's throttle options are now deprecated because the 'ask' endpoint is required. Additionally, the 'ask' endpoint is checked and the throttle is applied _before_ storage is queried for a certificate in order to limit load on the storage backend. - :warning: The long-deprecated `lookup_srv` feature of the reverse proxy has been removed. It was replaced with the [dynamic upstreams feature in 2.6](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#dynamic-upstreams). (#5396) - :warning: The `remote_ip forwarded` matcher has been deprecated because it assumes trusting downstream proxies. Instead, the `client_ip` matcher should be used along with `trusted_proxies` configuration. (#5103 and #5104) - :warning: Placeholder syntax `{args.0}` is now deprecated in favor of `{args[0]}`. - :warning: Plugin authors will now need to use `http.ResponseController` to call `Flush()` or `Hijack()` on the response writer. (#5654) Thank you to everyone who contributed! And thank you to our [sponsors](https://github.com/sponsors/mholt) who truly make this project possible. ## New Contributors * @esell made their first contribution in https://github.com/caddyserver/caddy/pull/5417 * @krak3n made their first contribution in https://github.com/caddyserver/caddy/pull/5147 * @trea made their first contribution in https://github.com/caddyserver/caddy/pull/5435 * @heimoshuiyu made their first contribution in https://github.com/caddyserver/caddy/pull/5464 * @gucki made their first contribution in https://github.com/caddyserver/caddy/pull/5424 * @kidonng made their first contribution in https://github.com/caddyserver/caddy/pull/5475 * @taophp made their first contribution in https://github.com/caddyserver/caddy/pull/5497 * @eanavitarte made their first contribution in https://github.com/caddyserver/caddy/pull/5515 * @jonatan5524 made their first contribution in https://github.com/caddyserver/caddy/pull/5521 * @jjiang-stripe made their first contribution in https://github.com/caddyserver/caddy/pull/5531 * @TP-O made their first contribution in https://github.com/caddyserver/caddy/pull/5504 * @pistasjis made their first contribution in https://github.com/caddyserver/caddy/pull/5536 * @charles-dyfis-net made their first contribution in https://github.com/caddyserver/caddy/pull/5547 * @jpds made their first contribution in https://github.com/caddyserver/caddy/pull/5554 * @kassienull made their first contribution in https://github.com/caddyserver/caddy/pull/5553 * @Phrynobatrachus made their first contribution in https://github.com/caddyserver/caddy/pull/5532 * @365cent made their first contribution in https://github.com/caddyserver/caddy/pull/5564 * @oncilla made their first contribution in https://github.com/caddyserver/caddy/pull/5573 * @testwill made their first contribution in https://github.com/caddyserver/caddy/pull/5576 * @mmm444 made their first contribution in https://github.com/caddyserver/caddy/pull/5567 * @sabify made their first contribution in https://github.com/caddyserver/caddy/pull/5579 * @omerdemirok made their first contribution in https://github.com/caddyserver/caddy/pull/5586 * @bt90 made their first contribution in https://github.com/caddyserver/caddy/pull/5636 * @ydylla made their first contribution in https://github.com/caddyserver/caddy/pull/5646 * @kkroo made their first contribution in https://github.com/caddyserver/caddy/pull/5648 **Full Changelog**: https://github.com/caddyserver/caddy/compare/v2.6.4...v2.7.3 ## Changelog * 3f20a7c9 acmeserver: Configurable `resolvers`, fix smallstep deprecations (#5500) * b1366c7e build(deps): bump actions/setup-go from 3 to 4 (#5474) * dfe17c33 caddyconfig: Specify config adapter for HTTP loader (close #5607) * f3379f65 caddyfile: Fix heredoc fuzz crasher, drop trailing newline (#5404) * 960150bb caddyfile: Implement heredoc support (#5385) * 8bc05e59 caddyfile: Implement variadics for import args placeholders (#5249) * 53b6fab1 caddyfile: Stricter parsing, error for brace on new line (#5505) * cee4441c caddyfile: Do not replace import tokens if they are part of a snippet (#5539) * 9cde7155 caddyfile: Track import name instead of modifying filename (#5540) * bbe1952a caddyfile: Fix comparing if two tokens are on the same line (#5626) * 9f34383c caddyfile: check that matched key is not a substring of the replacement key (#5685) * cfc85ae8 caddyhttp: Add a getter for Server.name (#5531) * 05e99745 caddyhttp: Determine real client IP if trusted proxies configured (#5104) * c05e3898 caddyhttp: Enable 0-RTT QUIC (#5425) * 85375861 caddyhttp: Fix `vars_regexp` matcher with placeholders (#5408) * 1c9ea011 caddyhttp: Impl `ResponseWriter.Unwrap()`, prep for Go 1.20's `ResponseController` (#5509) * cbf16f6d caddyhttp: Implement named routes, `invoke` directive (#5107) * 2b3046de caddyhttp: Log request body bytes read (#5461) * 96919acc caddyhttp: Refactor cert Managers (fix #5415) (#5533) * d8d87a37 caddyhttp: Serve http2 when listener wrapper doesn't return *tls.Conn (#4929) * 808b05c3 caddyhttp: Update quic's TLS configs after reload (#5517) (fix #4849) * 29452647 caddyhttp: Fix h3 shutdown (#5541) * 6a41b62e caddyhttp: Support custom network for HTTP/3 (#5573) * a7af7c48 caddytls: Allow on-demand w/o ask for internal-only * cd486c25 caddyhttp: Make use of `http.ResponseController` (#5654) * 18c309b5 caddyhttp: Preserve original error (fix #5652) * 66114cb1 caddyhttp: Trim dot/space only on Windows (fix #5613) * a02ecb0f caddytls: Check for nil ALPN; close #5470 (#5473) * faf0399e caddytls: Configurable fallback SNI (#5527) * e16a8868 caddytls: Eval replacer on automation policy subjects (#5459) * be53e432 caddytls: Relax the warning for on-demand (#5384) * b97c76fb caddytls: Require 'ask' endpoint for on-demand TLS * 0cc49c05 caddytls: Zero out throttle window first (#5443) * 4ba03c9d caddytls: Clarify some JSON config docs * 0e2c7e1d caddytls: Reuse certificate cache through reloads (#5623) * b301a3df celmatcher: Implement `pkix.Name` conversion to string (#5492) * 096971e3 ci/cd: ship tarballs with vendored deps (#5403) * 5ded5804 cmd: Adjust documentation for commands (#5377) * 508cf2aa cmd: Create pidfile before config load (close #5477) * 9e691955 cmd: Expand cobra support, add short flags (#5379) * 5ebb7d49 cmd: Reduce spammy logs from --watch * 79de6df9 cmd: Strict unmarshal for validate (#5383) * 205b1426 cmd: Support `'` quotes in envfile parsing (#5437) * bf54892a cmd: make `caddy fmt` hints more clear (#5378) * 38cb587e cmd: Avoid spammy log messages (fix #5538) * 078f130a cmd: Implement storage import/export (#5532) * 8d304a45 cmd: Split unix sockets for admin endpoint addresses (#5696) * f6bab8ba context: Rename func to `AppIfConfigured` (#5397) * 806341e0 core: Properly preserve unix sockets (fix #5568) * 942fbb37 core: Use SO_REUSEPORT_LB on FreeBSD (#5554) * 99d47050 core: Eliminate unnecessary shutdown delay on Unix (#5413) * c6ac350a core: Return default logger if no modules loaded * 22927e27 core: Add optional unix socket file permissions (#4741) * f66493ef core: Allow loopback hosts for admin endpoint (fix #5650) (#5664) * 710824c3 core: Embed net.UDPConn to gain optimizations (#5606) * b51dc5d5 core: Refine mutex during reloads (fix #5628) (#5645) * 119e8794 core: Skip `chmod` for abstract unix sockets (#5596) * b3f0cea2 encode: flush status code when hijacked. (#5419) * 19139307 encode: Fix infinite recursion (#5672) * c8032867 fastcgi: Fix `capture_stderr` (#5515) * 571fc034 feature: watch include directory (#5521) * f9bd2d3e fileserver: Add color-scheme meta tag (#5475) * 6cc3cbbc fileserver: New file browse template (#5427) * 94d41a9d fileserver: Remove trailing slash on fs filenames (#5417) * 52d7335c fileserver: Use EscapedPath for browse (#5534) * 5bd9c490 fileserver: Don't set Etag if mtime is 0 or 1 (close #5548) (#5550) * 5336bc0f fileserver: Fix file browser breadcrumb font (#5543) * 2d236ead fileserver: Fix file browser footer in grid mode (#5536) * bd34cb6b fileserver: More filetypes for browse icons * 2615c9c5 fileserver: Only set Etag if not already set (fix #5546) (#5547) * 56af1ceb fileserver: browse: Better grid layout (#5564) * cdd3884b fileserver: browse: minor tweaks for grid view, dark mode (#5545) * 4e36b4c9 fileserver: Tweak grid view of browse template * 27bc16ab fileserver: add `export-template` sub-command to `file-server` (#5630) * e041962b fileserver: add lazy image loading (#5646) * c049bab4 fileserver: browse: Render SVG images in grid * 1af419e7 go.mod: Update some dependencies * 774f2288 go.mod: Upgrade CertMagic * 0de6064c go.mod: Upgrade CertMagic again * 9e943319 go.mod: Upgrade dependencies * 8cb1bb4a go.mod: Upgrade quic-go to v0.33.0 (Go 1.19 min) * 36546cd8 go.mod: Upgrade several dependencies * 398c12ae go.mod: Update quic-go to v0.36.0 (#5584) * 0468508e go.mod: Upgrade CertMagic for hotfix * 9c180a59 go.mod: Upgrade quic-go to 0.35.1 * 415d1e7b go.mod: Upgrade some dependencies * f45a6de2 go.mod: Update quic-go to v0.37.0, bump to Go 1.20 minimum (#5644) * e198c605 go.mod: Upgrade dependencies esp. smallstep/certificates * 4df27a20 go.mod: Use latest CertMagic (v0.19.1) * 94749e11 go.mod: Use quic-go 0.37.1 * f857b32d go.mod: update quic-go to v0.36.2 (#5636) * 51b1bfb1 go.mod: Upgrade quic-go to v0.37.2 (fix #5680) * a8cc5d1a go.mod: Upgrade to quic-go v0.37.3 * e8352aef headers: Add > Caddyfile shortcut for enabling defer (#5535) * dd86171d headers: Support deleting all headers as first op (#5464) * 3b19aa2b headers: Allow `>` to defer shortcut for replacements (#5574) * 330be2d8 httpcaddyfile: Adjust path matcher sorting to solve for specificity (#5462) * ca14b6ed httpcaddyfile: Sort Caddyfile slice * 5c51c1db httpcaddyfile: Allow `hostnames` & logger name overrides for log directive (#5643) * 4aa4f3ac httpcaddyfile: Fix `string does not match ~[]E` error (#5675) * 1aef807c log: Make sink logs encodable (#5441) * cdce452e logging: Actually honor the SoftStart parameter * f0e39817 logging: Add traceID field to access logs when tracing is active (#5507) * f3e8b9d9 logging: Soft start for net writer (close #5520) * b6fe5d4b proxyprotocol: Add PROXY protocol support to `reverse_proxy`, add HTTP listener wrapper (#5424) * f5a13a4a replacer: Add HTTP time format (#5458) * 48598e1f reverseproxy: Add `fallback` for some policies, instead of always random (#5488) * f8b59e77 reverseproxy: Add `query` and `client_ip_hash` lb policies (#5468) * 66e571e6 reverseproxy: Add mention of which half a copyBuffer err comes from (#5472) * 75b690d2 reverseproxy: Expand port ranges to multiple upstreams in CLI + Caddyfile (#5494) * 335cd2e8 reverseproxy: Fix active health check header canonicalization, refactor (#5446) * 2b04e09f reverseproxy: Fix reinitialize upstream healthy metrics (#5498) * 10b265d2 reverseproxy: Header up/down support for CLI command (#5460) * b19946f6 reverseproxy: Optimize base case for least_conn and random_choose policies (#5487) * 4636109c reverseproxy: Remove deprecated `lookup_srv` (#5396) * 2182270a reverseproxy: Reset Content-Length to prevent FastCGI from hanging (#5435) * 941eae5f reverseproxy: allow specifying ip version for dynamic `a` upstream (#5401) * e3909cc3 reverseproxy: refactor HTTP transport layer (#5369) * 424ae0f4 reverseproxy: Experimental streaming timeouts (#5567) * 2ddb7171 reverseproxy: Fix parsing of source IP in case it's an ipv6 address (#5569) * 361946eb reverseproxy: weighted_round_robin load balancing policy (#5579) * da235014 reverseproxy: Connection termination cleanup (#5663) * d7d16360 reverseproxy: Export ipVersions type (#5648) * 7a69ae75 reverseproxy: Honor `tls_except_port` for active health checks (#5591) * 5dec11f2 reverseproxy: Pointer receiver * 65e33fc1 reverseproxy: do not parse upstream address too early if it contains replaceble parts (#5695) * 13a37688 rewrite: use escaped path, fix #5278 (#5504) * 2943c418 templates: Add `fileStat` function (#5497) * 31d75acc templates: Add `readFile` action that does not evaluate templates (#5553) * b4205617 tracing: Support autoprop from OTEL_PROPAGATORS (#5147)

caddy v2.7.4

2023-08-17T18:20:54+00:00

Caddy 2.7.4 rounds out some bug fixes from the 2.7 release. For example, [Go made a last-minute breaking change to a new API](https://github.com/quic-go/quic-go/releases/tag/v0.37.4) that broke quic-go (HTTP/3) on Go 1.21 just before Go 1.21 was released; we resolved a few issues with on-demand TLS that are now much improved from the 2.6 tree; a couple race conditions were fixed in dynamic reverse proxy upstreams. We hope you will be pleased with this new version! [Caddy is on feature freeze until after 2.8](https://github.com/caddyserver/caddy/issues/5704) so we can improve our testing situation. These patches have all been tried to ensure they work as intended, but if you notice any issues please report them! We encourage all users to test this new version and then upgrade. Thanks to all who get involved! ## Changelog * 080db938 caddytls: Update docs for on-demand config * d8135505 cmd: Require config for caddy validate (fix #5612) (#5614) * a8492c06 fileserver: Don't repeat error for invalid method inside error context (#5705) * 2d7d806f fileserver: Slightly more fitting icons * f11c3c9f go.mod: Upgrade CertMagic and quic-go * 5b9c850a go.mod: Upgrade golang.org/x/net to 0.14.0 (#5718) * 936ee918 reverseproxy: Always return new upstreams (fix #5736) (#5752) * 431adc09 templates: Fix httpInclude (fix #5698) ## New Contributors * @faddat made their first contribution in https://github.com/caddyserver/caddy/pull/5707 * @shyim made their first contribution in https://github.com/caddyserver/caddy/pull/5718 * @AaronDewes made their first contribution in https://github.com/caddyserver/caddy/pull/5720 **Full Changelog**: https://github.com/caddyserver/caddy/compare/v2.7.3...v2.7.4

caddy v2.7.5

2023-10-11T22:27:06+00:00

In this release, we've fixed quite a few small bugs and annoyances, including HTTP/2 Rapid Reset which affected most HTTP/2 implementations. _On a personal note (from @mholt): I recently became a dad! I want to thank our maintainers for helping in so many ways while I've been taking extra time for family. Francis, Matthew, Mohammed, and others -- including all the contributors below, and then some -- are to thank for shipping this release._ ## Highlights - Updated https://github.com/quic-go/quic-go from v0.37.5 to v0.39.0, including many performance improvements. GSO and ECN are now enabled by default, but you may turn them off by setting the `QUIC_GO_DISABLE_GSO=true` and `QUIC_GO_DISABLE_ECN=true` environment variables respectively, if they cause you problems. See the [`quic-go` release notes](https://github.com/quic-go/quic-go/releases) for more details. - The file server's `fileserver.BrowseTemplate` is now exported, so it may be customized by programs embedding Caddy. (ed8bb13c5df7656647ca7fc1fd09237631a6767c) - Environment variables loaded with `--envfile` no longer override existing variables. (#5803) - The `encode` handler now compresses `application/wasm*` content types by default. (#5869) - The `reverse_proxy` handler can now emit very detailed logs for debugging streaming and buffering. To enable it, set the `verbose_logs` subdirective, and set logging to `debug` level. Since the logs from this are very noisy, using `verbose_logs` to opt-in is necessary. We may ask you to enable this when asking for support! (#5793) - You can now check the version with `caddy -v`, like most other CLI utilities! (#5874) [Caddy is on feature freeze until after 2.8](https://github.com/caddyserver/caddy/issues/5704) so we can improve our testing situation. These patches have all been tried to ensure they work as intended, but if you notice any issues please report them! ## Changelog * 0e204b73 admin: Respond with 4xx on non-existing config path (#5870) * 89c407aa build(deps): bump actions/checkout from 3 to 4 (#5846) * 1405683c build(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5847) * 38a7b6b3 caddyfile: Adjust error formatting (#5765) * 7103ea09 caddyfile: Fix case where heredoc marker is empty after newline (#5769) * 10053f75 caddyfile: Loosen heredoc parsing (#5761) * 58ab3a01 caddyhttp: Use LimitedReader for HTTPRedirectListener _(thank you to Bartek Nowotarski for reporting)_ * 9c419f1e cmd: Fix exiting with custom status code, add `caddy -v` (#5874) * f2ab7099 cmd: Prevent overwriting existing env vars with `--envfile` (#5803) * e0aaefab encode: Add `application/wasm*` to the default content types (#5869) * fa5a579b fileserver: Add command shortcuts `-l` and `-a` (#5854) * ed8bb13c fileserver: Export BrowseTemplate * 130f6d1f fileserver: Set canonical URL on browse template (#5867) * a306c5f7 fileserver: browse template SVG icons and UI tweaks (#5812) * 0a6d3333 fileserver: docs: clarify the ability to produce JSON array with `browse` (#5751) * 82c356f2 fix: caddytest.AssertResponseCode error message (#5853) * 888c6d7e go.mod: Update quic-go to v0.38.0 (#5772) * 88b4fbf2 go.mod: Upgrade dependencies incl. x/net/http * df995029 httpcaddyfile: Enable TLS for catch-all site if `tls` directive is specified (#5808) * 33d8d2c6 httpcaddyfile: Sort TLS SNI matcher for deterministic JSON output (#5860) * 288216e1 httpcaddyfile: Stricter errors for site and upstream address schemes (#5757) * 2cac3c54 httpcaddyfile: fix placeholder shorthands in named routes (#5791) * c46ec3b5 logging: Clone array on log filters, prevent side-effects (#5786) * 1b73e386 logging: query filter for array of strings (#5779) * 4776f62c replacer: change timezone to UTC for "time.now.http" placeholders (#5774) * a8586b05 reverseproxy: Add logging for dynamic A upstreams (#5857) * 3a3182fb reverseproxy: Add more debug logs (#5793) * 4feac4d8 reverseproxy: Allow fallthrough for response handlers without routes (#5780) * e8b8d4a8 reverseproxy: Fix `least_conn` policy regression (#5862) * 2a6859a5 reverseproxy: Fix retries on "upstreams unavailable" error (#5841) * 05dbe1c1 reverseproxy: Replace health header placeholders (#5861) * 1e0dea59 reverseproxy: fix nil pointer dereference in AUpstreams.GetUpstreams (#5811) * b245ecd3 reverseproxy: fix parsing Caddyfile fails for unlimited request/response buffers (#5828) * 5653c36b templates: Add dummy `RemoteAddr` to `httpInclude` request, proxy compatibility (#5845) * 289934f3 tls: Add X25519Kyber768Draft00 PQ "curve" behind build tag (#5852) ## New Contributors * @singhalkarun made their first contribution in https://github.com/caddyserver/caddy/pull/5757 * @pauljeannot made their first contribution in https://github.com/caddyserver/caddy/pull/5779 * @hainenber made their first contribution in https://github.com/caddyserver/caddy/pull/5790 * @evandam made their first contribution in https://github.com/caddyserver/caddy/pull/5803 * @FossoresLP made their first contribution in https://github.com/caddyserver/caddy/pull/5811 * @glowinthedark made their first contribution in https://github.com/caddyserver/caddy/pull/5812 * @pkoenig10 made their first contribution in https://github.com/caddyserver/caddy/pull/5780 * @ThanmayNath made their first contribution in https://github.com/caddyserver/caddy/pull/5845 * @Christoph-D made their first contribution in https://github.com/caddyserver/caddy/pull/5869 * @mcfedr made their first contribution in https://github.com/caddyserver/caddy/pull/5828 * @bwesterb made their first contribution in https://github.com/caddyserver/caddy/pull/5852 * @Forza-tng made their first contribution in https://github.com/caddyserver/caddy/pull/5867 * @BattleRattle made their first contribution in https://github.com/caddyserver/caddy/pull/5870 **Full Changelog**: https://github.com/caddyserver/caddy/compare/v2.7.4...v2.7.5

caddy v2.7.6

2023-12-08T01:03:36+00:00

In this version we've made several fixes and enhancements with help from several contributors. Most changes are small, but some notable ones: - The `templates` middleware is now officially extensible (experimentally). This means modules can add custom functions/actions for templates to execute. - TLS storage cleaning is now synchronized across the cluster and remembered across restarts. This should greatly lower costs for expensive storage backends like DynamoDB. - Placeholders are now evaluated in config for certificate loaders. - Numerous bug fixes. Thank you to everyone who contributed! ## Changelog * 65c489a0 Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913) * ae5e2d96 caddyfile: Fix variadic placeholder false positive when token contains `:` (#5883) * db55da59 caddyhttp: Adjust `scheme` placeholder docs (#5910) * df5edf6b caddytls: Context to DecisionFunc (#5923) * 6d9a8337 caddytls: Sync distributed storage cleaning (#5940) * 11a082c0 cmd: Add newline character to version string in CLI output (#5895) * 979c413f cmd: upgrade: resolve symlink of the executable (#5891) * 64820706 core: Apply SO_REUSEPORT to UDP sockets (#5725) * 15adb893 core: quic listener will manage the underlying socket by itself (#5749) * 801ec756 fileserver: Add .m4v for browse template icon * b809ed71 go.mod: CVE-2023-45142 Update opentelemetry (#5908) * b4c7313c go.mod: Upgrade quic-go to v0.39.1 * 36fce3fa go.mod: update quic-go version to v0.40.0 (#5922) * ec2de22a httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896) * f0ea489d httpcaddyfile: Remove port from logger names (#5881) * 87f63b12 httpredirectlistener: Only set read limit for when request is HTTP (#5917) * 16834d64 templates: Clarify `include` args docs, add `.ClientIP` (#5898) * 0259853a templates: Delete headers on `httpError` to reset to clean slate (#5905) * 2f7ceb57 templates: Offically make templates extensible (#5939) * 908e9569 tls: accept placeholders in string values of certificate loaders (#5963) **Full Changelog**: https://github.com/caddyserver/caddy/compare/v2.7.5...v2.7.6