Caddy Versions Save

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS

v2.8.0-beta.2

1 week ago

Caddy 2.8 is (almost) here! We've made a ton of improvements and fixes and implemented some pretty awesome new features based on your feedback.

Thank you to our sponsors and everyone in the community who contributed! We couldn't have done it without your help. In particular, we'd like to recognize sponsors Stripe, Framer, and ZeroSSL for their positive influence which have greatly enhanced the project.

We've had a lot of documented-deprecated code in place for a long time now, so this version introduces a few more breaking changes than usual; please review the notes below.

This is a beta release, so expect some rough edges. Test in staging before deploying to production, but please try it out! As usual, please file bugs for any issues you encounter. Thank you and have a great day!

:warning: Breaking changes:

  • ZeroSSL (#6229) (this is one overall change, but requires some explanation):
    • Up to now, Caddy used both Let's Encrypt and ZeroSSL by default to get certificates without any configuration. In 2.8, this is changing slightly. Due to upcoming changes to ZeroSSL accounting policies, ZeroSSL now requires your email address to be able to access their free ACME endpoint.
    • As such, Caddy will only implicitly add the ZeroSSL issuer to your config if you provide an email address in your Caddyfile using the email global option. (We have already recommended this for years.) If you already do this, you don't have to make any changes and you'll still get Let's Encrypt and ZeroSSL automatically as defaults.
    • If you use JSON to configure certificate automation policies, you will need to ensure you use the acme issuer with your email filled out, and the ca field set to ZeroSSL's ACME server URL.
    • The zerossl issuer module is no longer ACME-capable and is now exclusively for the ZeroSSL API. An API key from your ZeroSSL account is required. (The ZeroSSL ACME server can still be used with the acme module pointed to ZeroSSL's ACME server. You can provide your account email and/or EAB as well.) If you were using the ZeroSSL issuer with an API key, it will now start using ZeroSSL's API, which was probably the expected behavior anyways. The API has several advantages over the ACME endpoint, but may require payment:
      • Faster response times
      • IP certificates
      • Management tools in your ZeroSSL account dashboard
      • Technical support
    • To clarify, Let's Encrypt is still a default issuer even if you don't provide an email address (but we have always strongly recommended to do so).
    • You can still use ZeroSSL's ACME endpoint with your own External Account Binding (EAB) credentials.
    • See notes in #6229 for some examples and further explanations.
  • Removed support for the lego_deprecated DNS provider module. It has been deprecated for 4 years. Use caddy-dns modules instead; there are over 50 to choose from already. They are more flexible, compile much leaner, and are easier to implement and support. If yours is not supported it can be easily implemented. Sponsors at or above the Business tier can request to have their provider implemented for free.
  • On-demand TLS: The ask option in the JSON has been deprecated in favor of a permission module (Caddyfile unchanged) (#6055), and Caddyfile support for permission modules is added (6a02999)
  • Admin API: Etag (used for concurrency control) is now a header, not a trailer. This is less efficient, but virtually no clients properly implement trailer support.
  • For consistency, the basicauth Caddyfile directive has been renamed to basic_auth (#6092), and skip_log has been renamed to log_skip (#6066).
  • The basic_auth handler no longer supports scrypt (deprecated for over a year) (#6091)
  • The forwarded option has been deprecated for a long time and has now been removed from the remote_ip matcher (#6085)
  • Reverse proxy: The buffer_requests, buffer_responses, and max_buffer_size settings have been removed after being deprecated for 14 months. Use request_buffers and response_buffers instead if you need buffering.

Notable changes:

  • http: New fs directive can declare a file system plugin to use (#5057)
  • http: Sensitive headers in the logs are now replaced with ["REDACTED"] instead of empty array. (#5669)
  • http: Several improvements to size logging, websockets, flushing, 1xx statuses, and QUIC. (#6173, #6175, #6202, #6150, #6164, #6168)
  • http: Can now write access logs for a hostname to more than one logger (#6088)
  • http: The log_append handler can add fields to the access logs (#6066)
  • http: Add uuid field to access logs when the {http.request.uuid} placeholder is used (#5859)
  • http: Changed PROXY protocol libraries add TLV support (#5915)
  • caddyfile: Plugin authors can now specify a default ordering for directives, making manual ordering by users less necessary (#5865)
  • replacer: A new {file.*} global placeholder is available, where * is a path to a file on disk which contains a value (generally used for secrets) (#5463)
  • root, rewrite: A * matcher token is no longer required in the Caddyfile (#5844)
  • encode: More media types are now compressed by default (#6081)
  • encode: Modify ETag when encoding to comply with RFC 9110 section 8.8.3 (#5849)
  • encode: Configurable compression level for zstd (#6140)
  • uri: Can now perform structured query rewrites with uri query (#6120, #6165)
  • cmd: The --adapter flag is not needed for config files ending with .caddyfile (#5919)
  • file_server: The browse feature can now return a plaintext response (useful for terminals) (#6093)
  • file_server: File listings can dereference symlinks if enabled (#5973)
  • file_server: Directory listings now include total file size (#6003)
  • file_server: Can use precomputed ETags from sidecar files (#6222)
  • reverse_proxy: Active health checks can now be configured with consecutive passes/fails to change status (#6154)
  • reverse_proxy: A forward proxy can now be specified in config other than a single env var (#6114)
  • reverse_proxy: Configurable trusted root CAs is now modular (#6065)
  • reverse_proxy: SRV upstreams now support failovers/grace period with cache (#5832)
  • reverse_proxy: TLS curves can now be configured (potential preparation for post-quantum) (#5851)
  • handle_errors: Handling can now be filtered by response status code more easily (#5965)
  • tls: Client authentication validation methods are now modular/pluggable (#6050)
  • tls: Trusted CA providers are now modular (#5784)
  • tls: New local_ip connection matcher (#6074)
  • tls: Improvements and fixes when certificate managers are configured (#6229)
  • tls: Refactor the On-Demand TLS ask endpoint into a permission module, making it pluggable (#6055)
  • tls: Storage cleaning is now synced across instances that share the storage (#5940)
  • tls: Supports ACME Renewal Information (ARI) draft spec, together with cert lifetime and OCSP/revocation status, to trigger certificate renewals
  • acme_server: Configurable allow/deny policies (#5796)
  • acme_server: Specify allowed challenge types (#5794)

Changelog

  • ac0ad4da Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)
  • 931656bd acmeserver: add policy field to define allow/deny rules (#5796)
  • e1aa862e acmeserver: support specifying the allowed challenge types (#5794)
  • 4a0492f3 admin: Make Etag a header, not a trailer (#6208)
  • 12174496 admin: Use xxhash for etag (#6207)
  • 7e2510ef build(deps): bump golangci/golangci-lint-action from 4 to 5 (#6289)
  • 4f3f6e35 build(deps): bump actions/setup-go from 4 to 5 (#6012)
  • 8a50f191 build(deps): bump actions/upload-artifact from 3 to 4 (#6013)
  • 1bf72db6 build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#5994)
  • 223f3143 build(deps): bump peter-evans/repository-dispatch from 2 to 3 (#6080)
  • 30d63648 caddyauth: Drop support for scrypt (#6091)
  • f9e11158 caddyauth: Rename basicauth to basic_auth (#6092)
  • f4840cfe caddyconfig: Use empty struct instead of bool in map (close #6224) (#6227)
  • c0273f1f caddyfile: Add heredoc support to fmt command (#6056)
  • d9aded01 caddyfile: Allow heredoc blank lines (#6051)
  • 8bbf8ec6 caddyfile: Assert having a space after heredoc marker to simply check (#6117)
  • c369df5c caddyfile: Correctly close the heredoc when the closing marker appears immediately (#6062)
  • 1f60328e caddyfile: Fix variadic placeholder false positive when token contains : (#5883)
  • 750d0b83 caddyfile: Normalize & flatten all unmarshalers (#6037)
  • 9cd472c0 caddyfile: Populate regexp matcher names by default (#6145)
  • b893c8c5 caddyfile: Reject directives in the place of site addresses (#6104)
  • e7a534d0 caddyfile: Reject long heredoc markers (#6098)
  • 7c48b5fd caddyfile: Switch to slices.Equal for better performance (#6061)
  • 63d597c0 caddyhttp: Accept XFF header values with ports, when parsing client IP (#6183)
  • 3d7d60f7 caddyhttp: Add uuid to access logs when used (#5859)
  • 45132c5b caddyhttp: Add plaintext response to file_server browse (#6093)
  • 6d97d8d8 caddyhttp: Address some Go 1.20 features (#6252)
  • 4c10a054 caddyhttp: Adjust scheme placeholder docs (#5910)
  • 97a56d86 caddyhttp: Allow header replacement with empty string (#6163)
  • 83ef61de caddyhttp: Apply auto HTTPS redir to all interfaces (fix #6226)
  • 2fc620d3 caddyhttp: Fix linter warning about deprecation
  • f5344f8c caddyhttp: Fix panic when request missing ClientIPVarKey (#6040)
  • 2c48dda1 caddyhttp: Only attempt to enable full duplex for HTTP/1.x (#6102)
  • 12778880 caddyhttp: Register post-shutdown callbacks (#5948)
  • 7b48ce0e caddyhttp: Replace sensitive headers with REDACTED (close #5669)
  • cc0c0cf0 caddyhttp: Security enhancements for client IP parsing (#5805)
  • 70953e87 caddyhttp: Support multiple logger names per host (#6088)
  • bde46211 caddyhttp: Test cases for %2F and %252F (#6084)
  • c8559c44 caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)
  • ddb1d2c2 caddyhttp: add http.request.local{,.host,.port} placeholder (#6182)
  • 924010cd caddyhttp: close quic connections when server closes (#6202)
  • e0daa39c caddyhttp: record num. bytes read when response writer is hijacked (#6173)
  • 654a3bb0 caddyhttp: remove duplicate strings.Count in path matcher (fixes #6233) (#6234)
  • b568a10d caddyhttp: support unix sockets in caddy respond command (#6010)
  • c93e3045 caddyhttp: suppress flushing if the response is being buffered (#6150)
  • 52822a41 caddyhttp: upgrade to cel v0.20.0 (#6161)
  • c97292b2 caddypki: Allow use of root CA without a key. Fixes #6290 (#6298)
  • 4512be49 caddytest: Rename adapt tests to *.caddyfiletest extension (#6119)
  • 8d7ac184 caddytls: Ability to drop connections (close #6294)
  • 6a029990 caddytls: Add Caddyfile support for on-demand permission module (close #6260)
  • b24ae63e caddytls: Context to DecisionFunc (#5923)
  • d129ae6a caddytls: Evict internal certs from cache based on issuer (#6266)
  • 57c5b921 caddytls: Make on-demand 'ask' permission modular (#6055)
  • 76c4cf5a caddytls: Option to configure certificate lifetime (#6253)
  • 3609a4af caddytls: Remove shim code supporting deprecated lego-dns (#6231)
  • dc9dd2e4 caddytls: Still provision permission module if ask is specified
  • 4a09cf0d caddytls: Sync distributed storage cleaning (#5940)
  • 81413cae caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6229)
  • 3ae07a73 caddytls: clientauth: leaf verifier: make trusted leaf certs source pluggable (#6050)
  • 03f703a0 caddytls: verifier: caddyfile: re-add Caddyfile support (#6127)
  • b359ca56 ci/cd: use the build tag nobadger to exclude badgerdb (#6031)
  • 24b0ecc3 cmd: Add newline character to version string in CLI output (#5895)
  • e473ae68 cmd: Adjust config load logs/errors (#6032)
  • 185ed6fe cmd: Assume Caddyfile based on filename prefix and suffix (#5919)
  • e1f4b83f cmd: Fix panic related to config filename (fix #5919)
  • 8f87c5d9 cmd: Only validate config is proper JSON if config slice has data (#6250)
  • 56c6b3f6 cmd: Preserve LastModified date when exporting storage (#5968)
  • de4959fe cmd: fix the output of the Usage section (#6138)
  • 54823f52 cmd: reverseproxy: log: use caddy logger (#6042)
  • d70608b6 cmd: upgrade: resolve symlink of the executable (#5891)
  • d54dcf15 cmd: use automaxprocs for better perf in containers (#5711)
  • e1b9a9d7 core: Add ctx.Slogger() which returns an slog logger (#5945)
  • cbbd1df9 core: Always make AppDataDir for InstanceID (#5976)
  • 174c19a9 core: Apply SO_REUSEPORT to UDP sockets (#5725)
  • 46c5db92 core: OnExit hooks (#6128)
  • a7479302 core: Support NO_COLOR env var to disable log coloring (#6078)
  • 7c82e265 core: quic listener will manage the underlying socket by itself (#5749)
  • 03e0a010 encode: Configurable compression level for zstd (#6140)
  • 3067074d encode: Improve Etag handling (fix #5849)
  • 9ab09433 encode: Slight fix for the previous commit
  • e698ec51 encode: write status immediately when status code is informational (#6164)
  • ba581146 events: Add debug log
  • 7e52db82 fileserver: Add .m4v for browse template icon
  • 8f9ffc58 fileserver: Add total file size to directory listing (#6003)
  • feb07a7b fileserver: Browse can show symlink target if enabled (#5973)
  • b16aba5c fileserver: Enable compression for command by default (#5855)
  • 5d8b45c9 fileserver: Escape # and ? in img src (fix #6237)
  • f3e849e4 fileserver: Implement caddyfile.Unmarshaler interface (#5850)
  • d00824f4 fileserver: Improve Vary handling (#5849)
  • 362f33da fileserver: New --precompressed flag (#5880)
  • 5a4374be fileserver: Preserve query during canonicalization redirect (#6109)
  • cabb5d71 fileserver: Set "Vary: Accept-Encoding" header (see #5849)
  • 567d96c6 fileserver: read etags from precomputed files (#6222)
  • c839a98f filesystem: Globally declared filesystems, fs directive (#5833)
  • 60abd72c fix: add back text/*
  • b8f729b8 fix: add more media types to the compressed by default list
  • a4a64a6f gitignore: Add rule for caddyfile.go (#6225)
  • 9fc55a97 go.mod: CVE-2023-45142 Update opentelemetry (#5908)
  • fe2a02bf go.mod: Upgrade quic-go to v0.39.1
  • b49ec051 go.mod: Updated quic-go to v0.40.1 (#5983)
  • ee358550 go.mod: update quic-go version to v0.40.0 (#5922)
  • a46ff50a go.mod: Upgrade to quic-go v0.43.0
  • b5227106 go.mod: Upgrade to quic-go v0.43.1
  • dd203ad4 go.mod: CertMagic v0.21.0
  • 258d9061 httpcaddyfile: Add RegisterDirectiveOrder function for plugin authors (#5865)
  • 4181c79a httpcaddyfile: Add optional status code argument to handle_errors directive (#5965)
  • 2a78c9c5 httpcaddyfile: Allow nameless regexp placeholder shorthand (#6113)
  • 7984e6f6 httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896)
  • f976c84d httpcaddyfile: Fix cert file decoding to load multiple PEM in one file (#5997)
  • c2d889f8 httpcaddyfile: Fix redir html (#6001)
  • c27425ef httpcaddyfile: Keep deprecated skip_log in directive order (#6153)
  • ac1f20b9 httpcaddyfile: Remove port from logger names (#5881)
  • 5e2f1b5c httpcaddyfile: Rewrite root and rewrite parsing to allow omitting matcher (#5844)
  • 3efda6fb httpcaddyfile: Skip automate loader if disable_certs is specified (fix #6148)
  • da7d8cb2 httpcaddyfile: Sort skip_hosts for deterministic JSON (#5990)
  • cb86319b httpcaddyfile: Support client auth verifiers (#6022)
  • feeb6af4 httpcaddyfile: Fix expression matcher shortcut in snippets (#6288)
  • 96f638ea httpredirectlistener: Only set read limit for when request is HTTP (#5917)
  • 3248e4c8 logging: Add zap.Option support (#5944)
  • b9c40e71 logging: Automatic wrap default for filter encoder (#5980)
  • 726a9a8f logging: Fix default access logger (#6251)
  • 01d5568b logging: Implement append encoder, allow flatter filters config (#6069)
  • 0d44e3ec logging: Implement log_append handler (#6066)
  • 91ec7544 logging: Inline Caddyfile syntax for ip_mask filter (#6094)
  • 0c015470 logging: support ms duration format and add docs (#6187)
  • 8c2a72ad matchers: Drop forwarded option from remote_ip matcher (#6085)
  • ed7e3c90 matchers: query now ANDs multiple keys (#6054)
  • 387545a8 metrics: Record request metrics on HTTP errors (#5979)
  • e0bf179c modules: fix some typo in conments (#6206)
  • dc12bd97 proxyprotocol: use github.com/pires/go-proxyproto (#5915)
  • dba556fe refactor: move automaxprocs init in caddycmd.Main()
  • 80acf1bf replacer: Fix escaped closing braces (#5995)
  • 79797394 replacer: Implement file.* global replacements (#5463)
  • e7336cc3 replacer: use RWMutex to protect static provider (#6184)
  • 868af6a0 reverse_proxy: Add grace_period for SRV upstreams to Caddyfile (#6264)
  • 613d544a reverseproxy: Accept EOF when buffering
  • f658fd05 reverseproxy: Add tls_curves option to HTTP transport (#5851)
  • a9768d2f reverseproxy: Configurable forward proxy URL (#6114)
  • 0b381eb7 reverseproxy: Implement modular CA provider for TLS transport (#6065)
  • d9ff7b18 reverseproxy: Only change Content-Length when full request is buffered (#5830)
  • 9f97df22 reverseproxy: Remove long-deprecated buffering properties
  • d93e027e reverseproxy: Reuse buffered request body even if partially drained
  • 72ce78d9 reverseproxy: SRV dynamic upstream failover (#5832)
  • 74949fb0 reverseproxy: Use xxhash instead of fnv32 for LB (#6203)
  • b40cacf5 reverseproxy: Wait for both ends of websocket to close (#6175)
  • e65b97f5 reverseproxy: configurable active health_passes and health_fails (#6154)
  • da6a569e reverseproxy: cookie should be Secure and SameSite=None when TLS (#6115)
  • 1b9042bc reverseproxy: handle buffered data during hijack (#6274)
  • 53f70352 reverseproxy: use context.WithoutCancel (#6116)
  • d05d715a reverseproxy: HTTP transport: fix PROXY protocol initialization (#6301)
  • b2b29dcd reverseproxy: Implement health_follow_redirects (#6302)
  • 69290d23 rewrite: Implement uri query operations (#6120)
  • 29f57faa rewrite: uri query replace operation (#6165)
  • c6673ad4 staticresp: Use the evaluated response body for sniffing JSON content-type (#6249)
  • 0900844c templates: Clarify include args docs, add .ClientIP (#5898)
  • 4e8245df templates: Delete headers on httpError to reset to clean slate (#5905)
  • 18f34290 templates: Offically make templates extensible (#5939)
  • 4173e2c7 tls: accept placeholders in string values of certificate loaders (#5963)
  • ed41c924 tls: add reuse_private_keys (#6025)
  • e965b111 tls: modularize trusted CA providers (#5784)
  • 5ed86896 vars: Allow overriding http.auth.user.id in replacer as a special case (#6108)
  • d1325842 vars: Make nil values act as empty string instead of "<nil>" (#6174)

New Contributors

Full Changelog: https://github.com/caddyserver/caddy/compare/v2.7.6...v2.8.0-beta.2

v2.8.0-beta.1

2 weeks ago

This release is obsolete. Please see the next release for the notes.

v2.7.6

5 months ago

In this version we've made several fixes and enhancements with help from several contributors. Most changes are small, but some notable ones:

  • The templates middleware is now officially extensible (experimentally). This means modules can add custom functions/actions for templates to execute.
  • TLS storage cleaning is now synchronized across the cluster and remembered across restarts. This should greatly lower costs for expensive storage backends like DynamoDB.
  • Placeholders are now evaluated in config for certificate loaders.
  • Numerous bug fixes.

Thank you to everyone who contributed!

Changelog

  • 65c489a0 Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)
  • ae5e2d96 caddyfile: Fix variadic placeholder false positive when token contains : (#5883)
  • db55da59 caddyhttp: Adjust scheme placeholder docs (#5910)
  • df5edf6b caddytls: Context to DecisionFunc (#5923)
  • 6d9a8337 caddytls: Sync distributed storage cleaning (#5940)
  • 11a082c0 cmd: Add newline character to version string in CLI output (#5895)
  • 979c413f cmd: upgrade: resolve symlink of the executable (#5891)
  • 64820706 core: Apply SO_REUSEPORT to UDP sockets (#5725)
  • 15adb893 core: quic listener will manage the underlying socket by itself (#5749)
  • 801ec756 fileserver: Add .m4v for browse template icon
  • b809ed71 go.mod: CVE-2023-45142 Update opentelemetry (#5908)
  • b4c7313c go.mod: Upgrade quic-go to v0.39.1
  • 36fce3fa go.mod: update quic-go version to v0.40.0 (#5922)
  • ec2de22a httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896)
  • f0ea489d httpcaddyfile: Remove port from logger names (#5881)
  • 87f63b12 httpredirectlistener: Only set read limit for when request is HTTP (#5917)
  • 16834d64 templates: Clarify include args docs, add .ClientIP (#5898)
  • 0259853a templates: Delete headers on httpError to reset to clean slate (#5905)
  • 2f7ceb57 templates: Offically make templates extensible (#5939)
  • 908e9569 tls: accept placeholders in string values of certificate loaders (#5963)

Full Changelog: https://github.com/caddyserver/caddy/compare/v2.7.5...v2.7.6

v2.7.5

7 months ago

In this release, we've fixed quite a few small bugs and annoyances, including HTTP/2 Rapid Reset which affected most HTTP/2 implementations.

On a personal note (from @mholt): I recently became a dad! I want to thank our maintainers for helping in so many ways while I've been taking extra time for family. Francis, Matthew, Mohammed, and others -- including all the contributors below, and then some -- are to thank for shipping this release.

Highlights

  • Updated https://github.com/quic-go/quic-go from v0.37.5 to v0.39.0, including many performance improvements. GSO and ECN are now enabled by default, but you may turn them off by setting the QUIC_GO_DISABLE_GSO=true and QUIC_GO_DISABLE_ECN=true environment variables respectively, if they cause you problems. See the quic-go release notes for more details.
  • The file server's fileserver.BrowseTemplate is now exported, so it may be customized by programs embedding Caddy. (ed8bb13c5df7656647ca7fc1fd09237631a6767c)
  • Environment variables loaded with --envfile no longer override existing variables. (#5803)
  • The encode handler now compresses application/wasm* content types by default. (#5869)
  • The reverse_proxy handler can now emit very detailed logs for debugging streaming and buffering. To enable it, set the verbose_logs subdirective, and set logging to debug level. Since the logs from this are very noisy, using verbose_logs to opt-in is necessary. We may ask you to enable this when asking for support! (#5793)
  • You can now check the version with caddy -v, like most other CLI utilities! (#5874)

Caddy is on feature freeze until after 2.8 so we can improve our testing situation. These patches have all been tried to ensure they work as intended, but if you notice any issues please report them!

Changelog

  • 0e204b73 admin: Respond with 4xx on non-existing config path (#5870)
  • 89c407aa build(deps): bump actions/checkout from 3 to 4 (#5846)
  • 1405683c build(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5847)
  • 38a7b6b3 caddyfile: Adjust error formatting (#5765)
  • 7103ea09 caddyfile: Fix case where heredoc marker is empty after newline (#5769)
  • 10053f75 caddyfile: Loosen heredoc parsing (#5761)
  • 58ab3a01 caddyhttp: Use LimitedReader for HTTPRedirectListener (thank you to Bartek Nowotarski for reporting)
  • 9c419f1e cmd: Fix exiting with custom status code, add caddy -v (#5874)
  • f2ab7099 cmd: Prevent overwriting existing env vars with --envfile (#5803)
  • e0aaefab encode: Add application/wasm* to the default content types (#5869)
  • fa5a579b fileserver: Add command shortcuts -l and -a (#5854)
  • ed8bb13c fileserver: Export BrowseTemplate
  • 130f6d1f fileserver: Set canonical URL on browse template (#5867)
  • a306c5f7 fileserver: browse template SVG icons and UI tweaks (#5812)
  • 0a6d3333 fileserver: docs: clarify the ability to produce JSON array with browse (#5751)
  • 82c356f2 fix: caddytest.AssertResponseCode error message (#5853)
  • 888c6d7e go.mod: Update quic-go to v0.38.0 (#5772)
  • 88b4fbf2 go.mod: Upgrade dependencies incl. x/net/http
  • df995029 httpcaddyfile: Enable TLS for catch-all site if tls directive is specified (#5808)
  • 33d8d2c6 httpcaddyfile: Sort TLS SNI matcher for deterministic JSON output (#5860)
  • 288216e1 httpcaddyfile: Stricter errors for site and upstream address schemes (#5757)
  • 2cac3c54 httpcaddyfile: fix placeholder shorthands in named routes (#5791)
  • c46ec3b5 logging: Clone array on log filters, prevent side-effects (#5786)
  • 1b73e386 logging: query filter for array of strings (#5779)
  • 4776f62c replacer: change timezone to UTC for "time.now.http" placeholders (#5774)
  • a8586b05 reverseproxy: Add logging for dynamic A upstreams (#5857)
  • 3a3182fb reverseproxy: Add more debug logs (#5793)
  • 4feac4d8 reverseproxy: Allow fallthrough for response handlers without routes (#5780)
  • e8b8d4a8 reverseproxy: Fix least_conn policy regression (#5862)
  • 2a6859a5 reverseproxy: Fix retries on "upstreams unavailable" error (#5841)
  • 05dbe1c1 reverseproxy: Replace health header placeholders (#5861)
  • 1e0dea59 reverseproxy: fix nil pointer dereference in AUpstreams.GetUpstreams (#5811)
  • b245ecd3 reverseproxy: fix parsing Caddyfile fails for unlimited request/response buffers (#5828)
  • 5653c36b templates: Add dummy RemoteAddr to httpInclude request, proxy compatibility (#5845)
  • 289934f3 tls: Add X25519Kyber768Draft00 PQ "curve" behind build tag (#5852)

New Contributors

Full Changelog: https://github.com/caddyserver/caddy/compare/v2.7.4...v2.7.5

v2.7.4

9 months ago

Caddy 2.7.4 rounds out some bug fixes from the 2.7 release. For example, Go made a last-minute breaking change to a new API that broke quic-go (HTTP/3) on Go 1.21 just before Go 1.21 was released; we resolved a few issues with on-demand TLS that are now much improved from the 2.6 tree; a couple race conditions were fixed in dynamic reverse proxy upstreams. We hope you will be pleased with this new version!

Caddy is on feature freeze until after 2.8 so we can improve our testing situation. These patches have all been tried to ensure they work as intended, but if you notice any issues please report them!

We encourage all users to test this new version and then upgrade. Thanks to all who get involved!

Changelog

  • 080db938 caddytls: Update docs for on-demand config
  • d8135505 cmd: Require config for caddy validate (fix #5612) (#5614)
  • a8492c06 fileserver: Don't repeat error for invalid method inside error context (#5705)
  • 2d7d806f fileserver: Slightly more fitting icons
  • f11c3c9f go.mod: Upgrade CertMagic and quic-go
  • 5b9c850a go.mod: Upgrade golang.org/x/net to 0.14.0 (#5718)
  • 936ee918 reverseproxy: Always return new upstreams (fix #5736) (#5752)
  • 431adc09 templates: Fix httpInclude (fix #5698)

New Contributors

Full Changelog: https://github.com/caddyserver/caddy/compare/v2.7.3...v2.7.4

v2.7.3

9 months ago

We're pleased to present Caddy 2.7, which makes significant strides in areas of scaling, performance, and niche features.

Special thank-you to @francislavoie, @Mohammed90, and other core team members for the ongoing dedication of their time to help maintain the project and help in our forums.

And a big thank-you to everyone else who contributed! You're awesome, and we're glad this project has so many contributors and sponsors to make it possible.

Docs are being updated and will be pushed live shortly. Thank you for your patience and for using Caddy!

(Note: Versions 2.7.0-2.7.2 contain bugs that were hotfixed within minutes and hours and a day of the release. Thank you to everyone who helped with that! And sorry for the trouble, we have learned lessons to help mitigate that in the future.)

Highlights

  • The in-memory TLS certificate cache is no longer purged and recreated during config reloads, making reloads extremely lightweight even when managing thousands of certificates.
  • Significant HTTP/3 performance improvements (upstream in quic-go) including enabling 0-RTT. Caddy users should notice significantly better throughput for HTTP/3. Thanks for the fantastic work, @marten-seemann!
  • New default template for the file server's "browse" listings - more modern, easier to use, grid view, filetype-specific icons, and better dark mode (see #5427 for more screenshots and info) list view grid view
  • The reverse proxy now supports the PROXY protocol. Using external modules is no longer required; specifically, the plugin by @mastercactapus is now built-in. (#5424)
  • Caddyfile now supports Heredoc syntax for long embedded strings/documents. (#5385)
  • @francislavoie implemented a suite of enhancements to bring you more reliable, trustworthy client IP information, even through proxies and CDNs (#5104)
  • Certificate private keys will no longer be reused when renewing certificates.
  • Caddyfile import arg placeholders support slice syntax, e.g. {args[2:]} (#5249)
  • Customizable "fallback" policy for reverse proxy in case the primary policy isn't applicable. (#5488)
  • Etags are generated more sensibly for NixOS environments which all have Modified time of 1; and if you set your own Etag, it will not be overwritten.
  • EXPERIMENTAL: New short flags for the CLI. (#5379)
  • EXPERIMENTAL: The reverse proxy may be configured to keep hijacked connections (streams, WebSockets, etc.) open through config reloads. (#5567)
  • EXPERIMENTAL: Define "named routes" to reuse them without copying. Caddyfile snippets are useful for reusing config, but reusing the same HTTP routes involves lots of copied config and memory bloat. Named routes let you define a route once and reuse it throughout your HTTP server without copying. It is available for JSON and Caddyfile configs. (#5107)
  • EXPERIMENTAL: You can specify permissions for unix sockets. (#4741)
  • Many many bug fixes you may or may not notice :upside_down_face:

Deprecations and possible breaking changes for some:

  • :warning: The ask endpoint is now required to enable On-Demand TLS (b97c76fb4789b8da0b80f5a2c1c1c5bebba163b5) for catch-all or wildcard hosts. Our docs have always mentioned this is required in production environments, but now the code enforces it. The ask endpoint is not required for local-only or internal-only names (#5384 and a7af7c486e5240da974e02b7dfee9d265aaa654a).
  • :warning: The on-demand config's throttle options are now deprecated because the 'ask' endpoint is required. Additionally, the 'ask' endpoint is checked and the throttle is applied before storage is queried for a certificate in order to limit load on the storage backend.
  • :warning: The long-deprecated lookup_srv feature of the reverse proxy has been removed. It was replaced with the dynamic upstreams feature in 2.6. (#5396)
  • :warning: The remote_ip forwarded matcher has been deprecated because it assumes trusting downstream proxies. Instead, the client_ip matcher should be used along with trusted_proxies configuration. (#5103 and #5104)
  • :warning: Placeholder syntax {args.0} is now deprecated in favor of {args[0]}.
  • :warning: Plugin authors will now need to use http.ResponseController to call Flush() or Hijack() on the response writer. (#5654)

Thank you to everyone who contributed! And thank you to our sponsors who truly make this project possible.

New Contributors

Full Changelog: https://github.com/caddyserver/caddy/compare/v2.6.4...v2.7.3

Changelog

  • 3f20a7c9 acmeserver: Configurable resolvers, fix smallstep deprecations (#5500)
  • b1366c7e build(deps): bump actions/setup-go from 3 to 4 (#5474)
  • dfe17c33 caddyconfig: Specify config adapter for HTTP loader (close #5607)
  • f3379f65 caddyfile: Fix heredoc fuzz crasher, drop trailing newline (#5404)
  • 960150bb caddyfile: Implement heredoc support (#5385)
  • 8bc05e59 caddyfile: Implement variadics for import args placeholders (#5249)
  • 53b6fab1 caddyfile: Stricter parsing, error for brace on new line (#5505)
  • cee4441c caddyfile: Do not replace import tokens if they are part of a snippet (#5539)
  • 9cde7155 caddyfile: Track import name instead of modifying filename (#5540)
  • bbe1952a caddyfile: Fix comparing if two tokens are on the same line (#5626)
  • 9f34383c caddyfile: check that matched key is not a substring of the replacement key (#5685)
  • cfc85ae8 caddyhttp: Add a getter for Server.name (#5531)
  • 05e99745 caddyhttp: Determine real client IP if trusted proxies configured (#5104)
  • c05e3898 caddyhttp: Enable 0-RTT QUIC (#5425)
  • 85375861 caddyhttp: Fix vars_regexp matcher with placeholders (#5408)
  • 1c9ea011 caddyhttp: Impl ResponseWriter.Unwrap(), prep for Go 1.20's ResponseController (#5509)
  • cbf16f6d caddyhttp: Implement named routes, invoke directive (#5107)
  • 2b3046de caddyhttp: Log request body bytes read (#5461)
  • 96919acc caddyhttp: Refactor cert Managers (fix #5415) (#5533)
  • d8d87a37 caddyhttp: Serve http2 when listener wrapper doesn't return *tls.Conn (#4929)
  • 808b05c3 caddyhttp: Update quic's TLS configs after reload (#5517) (fix #4849)
  • 29452647 caddyhttp: Fix h3 shutdown (#5541)
  • 6a41b62e caddyhttp: Support custom network for HTTP/3 (#5573)
  • a7af7c48 caddytls: Allow on-demand w/o ask for internal-only
  • cd486c25 caddyhttp: Make use of http.ResponseController (#5654)
  • 18c309b5 caddyhttp: Preserve original error (fix #5652)
  • 66114cb1 caddyhttp: Trim dot/space only on Windows (fix #5613)
  • a02ecb0f caddytls: Check for nil ALPN; close #5470 (#5473)
  • faf0399e caddytls: Configurable fallback SNI (#5527)
  • e16a8868 caddytls: Eval replacer on automation policy subjects (#5459)
  • be53e432 caddytls: Relax the warning for on-demand (#5384)
  • b97c76fb caddytls: Require 'ask' endpoint for on-demand TLS
  • 0cc49c05 caddytls: Zero out throttle window first (#5443)
  • 4ba03c9d caddytls: Clarify some JSON config docs
  • 0e2c7e1d caddytls: Reuse certificate cache through reloads (#5623)
  • b301a3df celmatcher: Implement pkix.Name conversion to string (#5492)
  • 096971e3 ci/cd: ship tarballs with vendored deps (#5403)
  • 5ded5804 cmd: Adjust documentation for commands (#5377)
  • 508cf2aa cmd: Create pidfile before config load (close #5477)
  • 9e691955 cmd: Expand cobra support, add short flags (#5379)
  • 5ebb7d49 cmd: Reduce spammy logs from --watch
  • 79de6df9 cmd: Strict unmarshal for validate (#5383)
  • 205b1426 cmd: Support ' quotes in envfile parsing (#5437)
  • bf54892a cmd: make caddy fmt hints more clear (#5378)
  • 38cb587e cmd: Avoid spammy log messages (fix #5538)
  • 078f130a cmd: Implement storage import/export (#5532)
  • 8d304a45 cmd: Split unix sockets for admin endpoint addresses (#5696)
  • f6bab8ba context: Rename func to AppIfConfigured (#5397)
  • 806341e0 core: Properly preserve unix sockets (fix #5568)
  • 942fbb37 core: Use SO_REUSEPORT_LB on FreeBSD (#5554)
  • 99d47050 core: Eliminate unnecessary shutdown delay on Unix (#5413)
  • c6ac350a core: Return default logger if no modules loaded
  • 22927e27 core: Add optional unix socket file permissions (#4741)
  • f66493ef core: Allow loopback hosts for admin endpoint (fix #5650) (#5664)
  • 710824c3 core: Embed net.UDPConn to gain optimizations (#5606)
  • b51dc5d5 core: Refine mutex during reloads (fix #5628) (#5645)
  • 119e8794 core: Skip chmod for abstract unix sockets (#5596)
  • b3f0cea2 encode: flush status code when hijacked. (#5419)
  • 19139307 encode: Fix infinite recursion (#5672)
  • c8032867 fastcgi: Fix capture_stderr (#5515)
  • 571fc034 feature: watch include directory (#5521)
  • f9bd2d3e fileserver: Add color-scheme meta tag (#5475)
  • 6cc3cbbc fileserver: New file browse template (#5427)
  • 94d41a9d fileserver: Remove trailing slash on fs filenames (#5417)
  • 52d7335c fileserver: Use EscapedPath for browse (#5534)
  • 5bd9c490 fileserver: Don't set Etag if mtime is 0 or 1 (close #5548) (#5550)
  • 5336bc0f fileserver: Fix file browser breadcrumb font (#5543)
  • 2d236ead fileserver: Fix file browser footer in grid mode (#5536)
  • bd34cb6b fileserver: More filetypes for browse icons
  • 2615c9c5 fileserver: Only set Etag if not already set (fix #5546) (#5547)
  • 56af1ceb fileserver: browse: Better grid layout (#5564)
  • cdd3884b fileserver: browse: minor tweaks for grid view, dark mode (#5545)
  • 4e36b4c9 fileserver: Tweak grid view of browse template
  • 27bc16ab fileserver: add export-template sub-command to file-server (#5630)
  • e041962b fileserver: add lazy image loading (#5646)
  • c049bab4 fileserver: browse: Render SVG images in grid
  • 1af419e7 go.mod: Update some dependencies
  • 774f2288 go.mod: Upgrade CertMagic
  • 0de6064c go.mod: Upgrade CertMagic again
  • 9e943319 go.mod: Upgrade dependencies
  • 8cb1bb4a go.mod: Upgrade quic-go to v0.33.0 (Go 1.19 min)
  • 36546cd8 go.mod: Upgrade several dependencies
  • 398c12ae go.mod: Update quic-go to v0.36.0 (#5584)
  • 0468508e go.mod: Upgrade CertMagic for hotfix
  • 9c180a59 go.mod: Upgrade quic-go to 0.35.1
  • 415d1e7b go.mod: Upgrade some dependencies
  • f45a6de2 go.mod: Update quic-go to v0.37.0, bump to Go 1.20 minimum (#5644)
  • e198c605 go.mod: Upgrade dependencies esp. smallstep/certificates
  • 4df27a20 go.mod: Use latest CertMagic (v0.19.1)
  • 94749e11 go.mod: Use quic-go 0.37.1
  • f857b32d go.mod: update quic-go to v0.36.2 (#5636)
  • 51b1bfb1 go.mod: Upgrade quic-go to v0.37.2 (fix #5680)
  • a8cc5d1a go.mod: Upgrade to quic-go v0.37.3
  • e8352aef headers: Add > Caddyfile shortcut for enabling defer (#5535)
  • dd86171d headers: Support deleting all headers as first op (#5464)
  • 3b19aa2b headers: Allow > to defer shortcut for replacements (#5574)
  • 330be2d8 httpcaddyfile: Adjust path matcher sorting to solve for specificity (#5462)
  • ca14b6ed httpcaddyfile: Sort Caddyfile slice
  • 5c51c1db httpcaddyfile: Allow hostnames & logger name overrides for log directive (#5643)
  • 4aa4f3ac httpcaddyfile: Fix string does not match ~[]E error (#5675)
  • 1aef807c log: Make sink logs encodable (#5441)
  • cdce452e logging: Actually honor the SoftStart parameter
  • f0e39817 logging: Add traceID field to access logs when tracing is active (#5507)
  • f3e8b9d9 logging: Soft start for net writer (close #5520)
  • b6fe5d4b proxyprotocol: Add PROXY protocol support to reverse_proxy, add HTTP listener wrapper (#5424)
  • f5a13a4a replacer: Add HTTP time format (#5458)
  • 48598e1f reverseproxy: Add fallback for some policies, instead of always random (#5488)
  • f8b59e77 reverseproxy: Add query and client_ip_hash lb policies (#5468)
  • 66e571e6 reverseproxy: Add mention of which half a copyBuffer err comes from (#5472)
  • 75b690d2 reverseproxy: Expand port ranges to multiple upstreams in CLI + Caddyfile (#5494)
  • 335cd2e8 reverseproxy: Fix active health check header canonicalization, refactor (#5446)
  • 2b04e09f reverseproxy: Fix reinitialize upstream healthy metrics (#5498)
  • 10b265d2 reverseproxy: Header up/down support for CLI command (#5460)
  • b19946f6 reverseproxy: Optimize base case for least_conn and random_choose policies (#5487)
  • 4636109c reverseproxy: Remove deprecated lookup_srv (#5396)
  • 2182270a reverseproxy: Reset Content-Length to prevent FastCGI from hanging (#5435)
  • 941eae5f reverseproxy: allow specifying ip version for dynamic a upstream (#5401)
  • e3909cc3 reverseproxy: refactor HTTP transport layer (#5369)
  • 424ae0f4 reverseproxy: Experimental streaming timeouts (#5567)
  • 2ddb7171 reverseproxy: Fix parsing of source IP in case it's an ipv6 address (#5569)
  • 361946eb reverseproxy: weighted_round_robin load balancing policy (#5579)
  • da235014 reverseproxy: Connection termination cleanup (#5663)
  • d7d16360 reverseproxy: Export ipVersions type (#5648)
  • 7a69ae75 reverseproxy: Honor tls_except_port for active health checks (#5591)
  • 5dec11f2 reverseproxy: Pointer receiver
  • 65e33fc1 reverseproxy: do not parse upstream address too early if it contains replaceble parts (#5695)
  • 13a37688 rewrite: use escaped path, fix #5278 (#5504)
  • 2943c418 templates: Add fileStat function (#5497)
  • 31d75acc templates: Add readFile action that does not evaluate templates (#5553)
  • b4205617 tracing: Support autoprop from OTEL_PROPAGATORS (#5147)

v2.7.2

9 months ago

Do not use this release, use v2.7.3 instead which contains several hot fixes.

v2.7.1

9 months ago

Do not use this release; use v2.7.3 instead. It contains a hotfix for a WebSocket issue.

v2.7.0

9 months ago

Do not use this release, use v2.7.3 instead which contains hot fixes.

v2.7.0-beta.2

10 months ago

This release is obsolete. Please see the next release for the notes.