Caddy Versions Save

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS

v2.6.3

1 year ago

This release brings a number of bug fixes and minor features. We recommend that all users check the release notes/commits, then test and upgrade.

Notable changes:

  • New trusted_proxies global option (within servers) can be used to specify trusted proxy IP ranges globally. This is important if relying on headers for client IP addresses.
  • Unix sockets on Windows now supported as proxy upstreams.
  • Proxied WebSocket connections are now logged with correct status code and "size" (bytes read + bytes written).
  • The quic-go package has received significant optimizations, so HTTP/3 should be more efficient now.

Thank you to everyone who contributed to this release!

Changelog

  • bfaf2a82 acme_server: Configurable default lifetime for issued certificates (#5232)
  • ac83b7e2 admin: Add CADDY_ADMIN env var to override the default (#5332)
  • ac96455a admin: fix certificate renewal for admin (#5169)
  • 762b0278 admin: set certmagic cache logger (#5173)
  • 329af5ce build(deps): bump actions/cache from 2 to 3 (#5263)
  • 3b724a20 build(deps): bump actions/upload-artifact from 1 to 3 (#5262)
  • af93517c build(deps): bump goreleaser/goreleaser-action from 2 to 4 (#5264)
  • cd49847e build(deps): bump peter-evans/repository-dispatch from 1 to 2 (#5261)
  • 8d3a1b8b caddyauth: Use singleflight for basic auth (#5344)
  • bbe36631 caddyconfig: Fix httploader leak from unused responses (#5159)
  • 7f2a93e6 caddyfile: Allow overriding server names (#5323)
  • 223cbe3d caddyhttp: Add server-level trusted_proxies config (#5103)
  • 087f126c caddyhttp: Canonicalize header field names (#5176)
  • 12bcbe2c caddyhttp: Pluggable trusted proxy IP range sources (#5328)
  • ed503118 caddyhttp: add placeholder {http.request.orig_uri.path.*} (#5161)
  • 33fdea8f caddypki: Prefer user-configured root instead of generating new one (#5189)
  • 6f8fe01d caddypki: Use go.step.sm/crypto to generate the PKI (#5217)
  • 1fa4cb7b caddytest: Increased sleep between retries to reduce flakey tests in CI (#5160)
  • fef9cb3e caddytest: internalize init config into '.go' file (#5230)
  • 55035d32 caddytls: Add dns_ttl config, improve Caddyfile tls options (#5287)
  • 66ce0c5c caddytls: Add test cases for Caddyfile tls options (#5293)
  • 0a3efd16 caddytls: Debug log for ask endpoint
  • 94b8d560 cmd: Add --envfile flag to validate command (#5350)
  • a999b707 cmd: Add missing \n to HelpTemplate (#5151)
  • c3b5b181 cmd: Avoid panic when printing version without build info (#5210)
  • 5805b3ca cmd: caddy fmt return code is 1 if not formatted (#5297)
  • 8c0b49bf cmd: fmt exit successfully after overwriting config file (#5351)
  • f20a8e7a cmd: replace deprecate func use (#5170)
  • 536c28d4 core: Support Windows absolute paths for UDS proxy upstreams (#5114)
  • dac7cacd encode: Respect Cache-Control no-transform (#5257)
  • 4e9ad50f fileserver: Add a couple test cases
  • 4bf6cb41 fileserver: Reject ADS and short name paths; trim trailing dots and spaces on Windows (#5148)
  • a3ae146c fileserver: Reject non-GET/HEAD requests (close #5166) (#5167)
  • e8ad9b32 go.mod: Update golang.org/x/net to v0.5.0 (#5314)
  • fac35db9 go.mod: Update quic-go to v0.31.0
  • 798c4a3b go.mod: Upgrade some dependencies
  • 90798f3e go.mod: Upgrade various dependencies (#5362)
  • 98867ac3 go.mod: bump tscert package to fix Tailscale 1.34+ on Windows (#5331)
  • d73660f7 httpcaddyfile: Add persist_config global option (#5339)
  • c38a040e httpcaddyfile: Fix handle grouping inside route (#5315)
  • d6d75116 httpcaddyfile: Warn on importing empty file; skip dotfiles (#5320)
  • 817470dd httploader: Close resp body on bad status code
  • 72e7edda map: Clarified how destination values should be formatted (#5156)
  • e9d95ab2 reverseproxy: Add flag to short command to disable redirects (#5330)
  • e450a737 reverseproxy: Don't enable auto-https when --from flag is http (#5269)
  • 845bc4d5 reverseproxy: Fix hanging for Transfer-Encoding: chunked (#5289)
  • d4a7d89f reverseproxy: Improve hostByHashing distribution (#5229)
  • c77a6bea reverseproxy: Log status code and byte count for websockets (#5140)
  • ee7c92ec reverseproxy: Mask the WS close message when we're the client (#5199)
  • d74f6fd9 reverseproxy: Set origreq in active health check (#5284)
  • 96231020 tracing: Support placeholders in span name (#5329)

v2.6.2

1 year ago

This release brings a number of bug fixes and minor enhancements. All users should upgrade after testing and verifying their setups. Thank you to all who contributed!

If you are coming from < 2.6, please see the 2.6 release notes because a lot is new!

Changelog

  • 037dc23c admin: Use replacer on listen addresses (#5071)
  • 498f32ba caddyconfig: Implement retries into HTTPLoader (#5077)
  • 9873ff99 caddyhttp: Remote IP prefix placeholders
  • 61822f12 caddyhttp: replace placeholders in map defaults (#5081)
  • e07a2672 caddytest: Revise sleep durations
  • 253d97c9 core: Chdir to executable location on Windows (#5115)
  • ab720fb7 core: Fix ListenQUIC listener key conflict
  • e3e8aabb core: Refactor and improve listener logic (#5089)
  • e4fac129 core: Set version manually via CustomVersion (#5072)
  • f7c1a51e fastcgi: Redirect using original URI path (fix #5073)
  • 2be56c52 fileserver: Treat invalid file path as NotFound (#5099)
  • b1d04f5b fileserver: better dark mode visited link contrast (#5105)
  • 33f60da9 fileserver: stop listing dir when request context is cancelled (#5131)
  • 2153a81e forwardauth: Canonicalize header fields (fix #5038) (#5097)
  • fe91de67 go.mod: Upgrade select dependencies
  • 70419700 headers: Support repeated WriteHeader if 1xx (fix #5074)
  • d46ba2e2 httpcaddyfile: Fix metrics global option parsing (#5126)
  • 6bad878a httpcaddyfile: Improve detection of indistinguishable TLS automation policies (#5120)
  • 2808de1e httpcaddyfile: Skip automate when auto_https off is specified (#5110)
  • 3e1fd2a8 httpcaddyfile: Wrap site block in subroute if host matcher used (#5130)
  • 9e1d964b logging: Add time_local option to use local time instead of UTC (#5108)
  • 01e192ed logging: Better console encoder defaults (#5109)
  • 99ffe933 logging: Fix skip_hosts with wildcards (#5102)
  • ea58d519 logging: Perform filtering on arrays of strings (where possible) (#5101)
  • 5e52bbb1 map: Remove infinite recursion check (#5094)
  • b4e28af9 replacer: working directory global placeholder (#5127)
  • e2991eb0 reverseproxy: On 103 don't delete own headers (#5091)
  • 2a8c458f reverseproxy: Parse humanized byte size (fix #5095)
  • d0556929 reverseproxy: fix upstream scheme handling in command (#5088)
  • 013b5103 rewrite: Only trim prefix if matched

New Contributors

Full Changelog: https://github.com/caddyserver/caddy/compare/v2.6.1...v2.6.2

v2.6.1

1 year ago

Hotfix for unix sockets, the encode handler, and the caddy file-server command. Please see the release notes for v2.6.0 for other important information if you're coming from < 2.6!

Changelog

  • 1426c97d core: Reuse unix sockets (UDS) and don't try to serve HTTP/3 over UDS (#5063)
  • 44ad0ced encode: don't WriteHeader unless called (#5060)
  • beb7dcbf fileserver: Reinstate --debug flag

v2.6.0

1 year ago

Caddy 2.6

This is our biggest release since Caddy 2.

Caddy 2 changed the way the world serves the Web. By providing an online config API, automatic HTTPS, unlimited extensibility, certificate automation at scale, modern protocols, sane defaults, and an unrivaled developer experience, we boldly raised the bar for web servers.

Now with Caddy 2.6, we're doing it again. Caddy 2.6 is the first general-purpose web server to seamlessly enable the newly-standardized HTTP/3 protocol for all configurations by default. We've virtualized the file system so you can serve content from anywhere or anything. New event features let you observe and control Caddy's internals with custom actions. Caddy is more useful than ever for developers with its enhanced CLI tooling and features. And it's faster than ever with non-trivial performance improvements. We think you will love this release.

UPDATE: Please use v2.6.1 for hotfixes related to unix sockets, encode, and caddy file-server.

Watch the livestream

Special dedication

This release is dedicated to the late Peter Eckersley, who passed away September 2, 2022. Peter is one of the brilliant minds behind Let's Encrypt; his work has benefited billions of people. I met Peter at the Let's Encrypt launch party in a little bar in San Francisco in 2015 and have never forgotten that occasion. He later co-authored a published research paper called Let’s Encrypt: An Automated Certificate Authority to Encrypt the Entire Web, which highly espoused Caddy's ACME integration: "We hope to see other popular server software follow Caddy’s lead."

We look forward to when other servers do that, and we hope to honor Peter's work and influence which will live on through his memory and the encrypted Web he made possible.

Sponsors

ZeroSSL remains Caddy's executive sponsor.

We were thrilled to welcome Stripe recently as an enterprise sponsor!

Other notable sponsors include AppCove, Dukaan, Suborbital, Tailscale, plus Bubble and GitHub which both made generous one-time donations.

We have many other vital sponsors and donors on which we also rely. Our sponsors come from all over the world and include independent professionals, startups, and small companies -- and they are the absolute best. Thank you for making a more secure Web possible!

Personal note from Matt: Recent life upgrades mean that your sponsorships now sustain a family of 5 so that I can continue to maintain Caddy. Two years ago, I don't think I would have taken this risk because I'd need to find other work to provide for a family. Thank you for coming together as a professional community to make the Caddy project possible!

We strongly recommend that companies who -- or companies whose customers -- use or benefit from Caddy become a sponsor to ensure ongoing maintenance, priority development, private support, and more. Sponsorship tiers can be tailored to your requirements!

Highlights

:warning: Don't miss deprecations / breaking changes at the bottom. Notably, if you use metrics, you will now need to turn them on.

HTTP/3 is here (#4707)

Caddy now enables RFC 9114-compliant HTTP/3 by default. The experimental_http3 option has graduated and been removed. We've removed another experimental option, allow_h2c, and individual HTTP versions (h1 h2 h2c h3) can now be toggled with the new protocols setting.

Note that HTTP/3 utilizes the QUIC transport, which requires UDP. If your network or firewall configuration only allows TCP, HTTP/3 connections will fail and clients (should) fall back to HTTP/2. For servers with properly-configured UDP networks, HTTP/3 should "just work" for enabled clients.

HTTP/3 clients can connect by reading Caddy's Alt-Svc header to know how to connect to Caddy via UDP. This header is now emitted automatically and by default. Other than that, there are no other changes needed to existing servers, as Caddy opens a separate UDP socket for HTTP/3.

Our HTTP/3 server attempts to mitigate amplification and reflection attacks by requiring address validation when the server is under load. This adds one round-trip for clients, but is only done as a defensive measure when necessary.

Serious thanks to @marten-seemann who builds and maintains the quic-go library we depend on for this. (Go has not announced any plans to officially support or implement HTTP/3.) We expect numerous QUIC and HTTP/3 improvements to come as implementations and best practices mature with more production experience.

Virtual file systems (#4909)

Caddy's file_server module now supports virtual file systems. We've replaced all hard-coded os.Open(), os.Stat(), etc. calls with Go's relatively new io/fs package, and introduced a new Caddy module namespace caddy.fs for implementations of such file systems.

Some examples of what is possible:

  • Serve content from S3 or other blob/cloud storage services
  • Serve dynamically-generated content that "feels" static
  • Embed your site directly into your caddy binary and serve it from memory
  • Serve content directly from an archive file (e.g. .zip or .tar.gz)
  • Load files from a database instead of disk

Basically, instead of serving files from the local disk, you can have Caddy serve the "files" from somewhere or something else. The default is still the local file system.

Note that this feature isn't limited to just Caddy's file_server module. Potentially any module that reads the local disk may benefit from using caddy.fs modules instead.

I wrote a module that lets you embed your site within your caddy binary -- wherever your server goes, your site goes!

We encourage the community to implement and publish new file system modules for Caddy. (From an early tweet there seems to be quite high demand.)

Events (#4912 and #4984)

Not surprisingly, many people prefer Caddy to automate certificates used with other software/services. Until now, there hasn't been a great way to know when Caddy has obtained or renewed a certificate (deferred in part by our opinion that certificate management should be baked into the software using the certificate in the first place). Cron jobs generally work for reloading new certificates into services because certificate expiry is mostly predictable, but now there is a better way with one of our most requested features: events!

We thought about events in general for a long time and discussed questions like, "What makes an event different from a log?" "Are events synchronous?" "Do self-initiated events get emitted before or after their code (are they past-tense or future-tense) -- or both? or neither (asynchronous)?" "What do we like from existing event systems?" "What do we wish event systems did differently?"

While we think we have pretty good answers to these questions now, we won't be sure until we gather more production experience. For this reason, events are implemented as an experimental app module -- not as part of the core. (Remember, Caddy's core currently only loads config and sets up logging/storage.) This means that Caddy's core cannot emit events.[^1] So even though our event implementation may change, it is likely to be only slight and gradual changes; and we encourage anyone and everyone to start using events as soon as possible and to give us your feedback. We think we have the start of a great event system, but we need you to prove it!

Caddy modules can emit events when interesting things happen. For example, the reverse proxy emits healthy and unhealthy events when backends go up and down. The TLS app emits cert_obtaining, cert_obtained, and cert_failed before and after obtaining a certificate or after the operation failed, respectively; and cert_ocsp_revoked after a certificate is discovered to be revoked by OCSP. There are several more events already, with even more to be added later.

Events can have data associated with them. For example, healthy/unhealthy come with the address of the host; cert_obtained has the domain name, issuer, and storage path. You can access this from config in placeholders, e.g. {event.data.identifier}.

Caddy modules can subscribe to events by specifying the name(s) of events to bind to, and the Caddy module ID(s) or namespace(s) to watch. When an event is emitted, it propagates from the module that emitted it up the provisioning heirarchy. This means that an event emitted by http.handlers.reverse_proxy will fire for http.handlers and http as well, similar to the DOM in HTML/JavaScript.

Event handlers are invoked synchronously. We chose this for several reasons. First, despite how easy Go makes concurrency, there are many subtleties to concurrency in a server. Goroutines may be lightweight, but their operations might not be; and if event goroutines are starting more quickly than they are stopping, we either drop events arbitrarily or run out of memory/CPU. Also, we think one of the qualities that differentiates events from logs is the ability for an event to influence the emitting code's flow: a true "hook" in that sense. Instead of simply observing that something is happening (which is what a log tells you), you can influence its behavior. Maybe you want to run a command before a certificate is obtained to see if it should be obtained. Or maybe you want to change how a TLS handshake is completed on-the-fly. Asynchronous event handlers cannot do this. For simple behavioral changes, synchronous events can be a powerful and useful tool for customizing your server.

The new event app lets you easily configure subscriptions and event handlers. Event handling is modular, so you will need to plug in a module that does what you want: run a command, reload a service, make an HTTP request, or anything else!

Because this feature is experimental and new, we don't yet know how people will be using it, so currently, Caddy does not ship with any event handler plugins. However, we're pretty sure based on feedback over the years that many of you would like to run commands on certain events (one of our top feature requests is to trigger a daemon reload after certificate renewals). So I went ahead and implemented an exec event handler plugin that can run commands. We almost included it in Caddy's standard distribution, but out of an abundance of caution we decided to keep it a separate plugin for now until we learn more about real production use cases from experience.

Here's an example of handling events. In JSON, you configure the events app:

{
	"apps": {
		"events": {
			"subscriptions": [
				{
					"events": ["cert_obtained"],
					"handlers": [
						{
							"handler": "exec",
							"command": "systemctl",
							"args": ["reload", "mydaemon"]
						}
					]
				}
			]
		}
	}
}

or the equivalent Caddyfile global option:

{
	events {
		on cert_obtained exec systemctl reload mydaemon
	}
}

It's that simple! Just make sure you have your event handler modules plugged in.

We hope you will provide feedback, report bugs, and request features related to events.

[^1]: Compilation fails with an import cycle. If Caddy core uses any feature of Caddy, it must also be in the core or another package not imported by any modules!

Smarter path matching and rewriting (#4948)

Is the URI path /a/b/c the same as /a/b%2Fc? What about /a/b//c? Turns out, it depends. What these questions illustrate is a famously frustrating problem, and has largely gone unsolved until now. All existing solutions I investigated in other products were unsatisfactory:

  • Nginx (and Caddy until now) always does path comparisons in unescaped/normalized space. This makes it impossible to route on literal escape sequences unless you double-encode your pattern, which violates specification.
  • Apache outright rejects valid[^2] HTTP requests containing encoded slashes. This behavior can either be disabled completely (creating a security problem known as unsafe paths) or tweaked to never decode encoded slashes (creating ambiguities when comparing against route patterns).
  • Laravel, like nginx, always decodes slashes, but routing such requests mangles application data that contains slashes.

The process of decoding a URI and collapsing slashes in the path is called normalization. Normalization has to occur for safe, reliable routing (imagine //secret bypassing auth checks configured for /secret), but at the same time, raw paths are sometimes needed to preserve application data (imagine a route /bands/:name which succeeds for /bands/AC&2fDC but fails for the normalized /bands/AC/DC). And it's not just routing; servers like Caddy often rewrite/manipulate paths. Because normalizing URIs creates a Many:1 mapping (there are multiple encoded forms of a single URI), normalizing is inherently lossy: the original input cannot be recovered with certainty, so we can't reconstruct the original or intended URI with complete fidelity.

Other solutions with coarse on-off knobs can't balance both security and application correctness: it seems you have to trade one for the other. The crux of the problem seems to be that the server/framework/router doesn't know which parts of the path are application data and which parts are path components, so it just "plays it safe" and decodes the whole thing.

I think Caddy's solution to this is quite novel. Our solution is to interpret encoded characters and multiple slashes in a path pattern literally as a hint of the developer's intent.

For example, if you write a path matcher /a/b/c, it will still match /a/b/c and /a/b%2Fc. However, if your path matcher is /a/b%2Fc, Caddy will only match /a/b%2Fc. This extends to wildcards with our new "escape-wildcard" feature: /bands/%*/ will match /bands/AC%2fDC but /bands/*/ won't. This works for multiple slashes too. If your path matcher uses //, Caddy will require the request path to contain those slashes literally at that position.

We've also implemented this for prefix and suffix manipulations. For example, if you wanted to strip a prefix of //prefix from //prefix/foo, it will now work, whereas before it wouldn't because it would look at a fully-normalized URI.

Essentially, we use the configured path pattern as a cue for whether to decode/merge a character or leave it raw when normalizing.

This is a complex and subtle change, so please be sure to read the full PR in #4948 and the linked Laravel issue. It's very informative!

[^2]: The "validity" of such a URI based on spec compliance is debatable. RFC 9110 says, "distinct resources SHOULD NOT be identified by HTTP URIs that are equivalent after normalization."

HTTP 103 Early Hints (#4882 and #5006)

HTTP Early Hints (RFC 8297) is the effective successor to HTTP/2 Server Push. When 103 is emitted with relevant Link headers, web pages will load faster than normal. 1xx responses are precursors to the final response; clients must be able to support receiving multiple responses to a single request (nearly all modern clients do; and it almost certainly shouldn't break any HTTP/2 clients). Early hints are a great way to speed up page loads where the main content may take a while to generate (a slow DB query, for example) but the subresources can start being loaded right away. In those cases it is often beneficial to send early hints.

Caddy can both originate and proxy 103 responses.

To send early hints from Caddy, simply set the Link headers as the hints, then write the response with a 103 status code:

route /slow-pages/* {
	header  +Link "</style.css>; rel=preload; as=style"
	header  +Link "</script.js>; rel=preload; as=script"
	respond 103
}

Unlike normal responses, after writing HTTP 103, Caddy's middleware chain will continue to execute and invoke the next handlers (for example, reverse_proxy) since 103 is not the final response. Multiple 103s can be sent.

Caddy's reverse proxy also supports HTTP 103 responses, meaning that backends can send early hints and Caddy will proxy them to the client immediately as you'd expect.,

Note that browser support is still limited (only Chrome implements it at this time) and Caddy must be built with Go 1.19 (our builds use the latest Go version; but we still support Go 1.18 for now).

Thank you to @dunglas with API Platform for contributing this feature to both Go and Caddy!

Improved command line interface (#4565 and #4994)

Caddy has always used Go's standard flag package for its CLI, which has served us quite well. However, recent improvements in the Cobra library make it possible for our CLI to gain worthwhile features without incurring a heavy dependency.

The new caddy manpage command generates man pages, and the caddy completion command generates shell completions. Both are installed automatically as part of our official Linux packages, so your next apt upgrade (etc.) should take care of that. Additionally, short options (e.g. -c) are now supported. And if you typo a command, Caddy will helpfully suggest a correction (e.g. caddy adpt will suggest caddy adapt).

Note that long-form flags must now use double-hyphen syntax (e.g. --config) even though the single-hyphen syntax (-config) was previously accepted. The standard library's flag parser treats - and -- the same, but Cobra's does not. Our online documentation has always used -- for flags, so we do not consider this a breaking change, but it's good to be aware of this change if you're used to how Go's parser works.

Very many thanks to @mohammed90 for contributing these features!

New caddy respond command (#4870)

For rapid development needing a local HTTP server, the caddy respond command might be just what you need: hard-coded HTTP responses for one or more servers so that you can effortlessly have a custom HTTP endpoint to test with.

A plain caddy respond command will listen on a random port and reply with HTTP 200. (The port or address is printed to the terminal for you.)

You can set a custom status code like caddy respond 401 or a custom body like caddy respond "Hello world!" -- or both: caddy respond --status 401 "Hello world!"

Or you can pipe in a response body, for example serving a maintenance page:

$ cat maintenance.html | caddy respond --status 503 --header "Content-Type: text/html; charset=utf-8"

You can even spin up multiple servers at once and use basic template features to configure each server with a different response:

$ echo "I'm server {{.N}} on port {{.Port}}" | caddy respond --listen :2000-2004

Server address: [::]:2000
Server address: [::]:2001
Server address: [::]:2002
Server address: [::]:2003
Server address: [::]:2004

$ curl 127.0.0.1:2002
I'm server 2 on port 2002

You can debug HTTP clients easier by enabling access logging with the --access-log flag. The --header flag can be used multiple times to set custom HTTP headers, and --debug enables debug mode for more verbose logging. We hope you find this feature useful!

Multiple dynamic upstream sources (5fb5b81)

In Caddy 2.5(.1) we introduced dynamic upstreams, which allow you to configure the reverse_proxy to get the list of backends on-the-fly during requests. This very popular feature's development was sponsored by Stripe, who we are thrilled to welcome as an enterprise sponsor. Stripe uses Caddy heavily for their internal systems, and for greater redundancy they need to be able to fail over to secondary upstreams if a primary cluster is down.

This is where the new multi dynamic upstreams module comes in. Now you can configure, for example, two SRV lookups for aggregated results:

{
	"handler": "reverse_proxy",
	"dynamic_upstreams": {
		"source": "multi",
		"sources": [
			{
				"source": "srv",
				"name": "primary"
			},
			{
				"source": "srv",
				"name": "secondary"
			}
		]
	}
}

This appends the backends returned from the secondary SRV lookup to the results of the primary SRV lookup (order preserved). To implement failover, simply use the first load balancing policy which chooses the first available upstream.

Configurable shutdown delay (#4906)

A shutdown can now be scheduled for a later time using the shutdown_delay option. This is useful for giving advance notice to health checkers that this server will be closing soon. The shutdown delay happens before the grace period where new connections are no longer accepted and existing ones are gracefully closed. During the shutdown delay, the server operates normally with the exception of the value of two placeholders. During the delay:

  • {http.shutting_down} placeholder equals true.
  • {http.time_until_shutdown} returns the duration that remains until server close.

This allows health check endpoints to announce that they will soon be going down so that this instance can be moved out of the rotation or a replacement instance can be spun up in the meantime. For example:

{
	shutdown_delay 10s
}

example.com {
	handle /health-check {
		@goingDown `{http.shutting_down}`
		respond @goingDown "Bye-bye in {http.time_until_shutdown}" 503
		respond 200
	}
}

By the way, the syntax of that @goingDown named matcher is new in 2.6: if a named matcher consists only of a CEL expression string, the type of matcher can be omitted; i.e. what you see above is equivalent to @goingDown expression "{http.shutting_down} == true".

(A shutdown is defined as a config unload where there is no new config to load, or the new config does not have a server configured at the same address as the current server. In other words, a shutdown of a server means a particular HTTP socket will be closed.)

Speaking of grace periods, config changes no longer block while waiting on servers' grace periods. This means faster, more responsive config reloads; just beware that, depending on the length of your grace period, your reload command or config API request may return before the old servers have completely finished shutting down.

Faster FastCGI transport (#4978)

PHP apps, rejoice! The round-trip between Caddy and php-fpm just got a lot faster. Thanks to contributions by @WeidiDeng, the FastCGI transport has been rewritten to be more efficient.

This is some of the oldest and most unique code in Caddy's code base. When Caddy was rewritten for v2 in 2019, everything was rewritten or refactored... except this, the FastCGI transport. This is the first time this part of the code has been improved since it was first implemented[^3] in 2014!

During tests, profiling showed the new code spends 86% less CPU time in GC (gcDrain) thanks to significantly fewer allocations. This is largely in part due to pooling buffers, which required a non-trivial refactoring to implement.

CPU profile

A very rough benchmark using php_info() yielded a 25% increase in requests per second. Before the rewrite, Caddy almost always performed worse than nginx even with fastcgi_keep_conn off. Our new code performs competitively with nginx, and in some tests Caddy even outperformed nginx with fastcgi_keep_conn on -- and we have not implemented connection pooling/reuse into the new transport yet.

Because every setup is different, your actual results will vary. In general though, you can expect busy servers to handle PHP faster.

[^3]: I didn't know how to write a FastCGI client back then (I'm still too scared to do much with it myself); Go's standard library implements only the responder role, not the web server (client). Fortunately there was a random repository on BitBucket that was forked from a random repository on Google Code written in 2012 that modified the Go std lib's fcgi package. It was rough around the edges, but with a little TLC we got it to do what we needed. The copyright had the name Junqing Tan in it, which we still retain in our source code to this day.

Faster file server (#5022)

In a patch contributed by @flga, we've reduced copying between buffers and even eliminated it altogether in some cases using sendfile(2). This has shown to have a 25-50% performance boost. It's automatic and no configuration is required to benefit. In some tests, Caddy's new defaults are even faster than optimized nginx.

Static files over 512 bytes being served over plaintext HTTP sockets may now be served directly by the Linux kernel, which is much faster than copying the file to user-space.

Static files are faster over HTTPS, too. In addition to sendfile (which we can't[^4] use over TLS), we now utilize the io.ReaderFrom interface to reuse existing buffers and further reduce copying within user space. Our tests show that this significantly enhances performance even over TLS.

[^4]: This is possible with kTLS, but the Go standard library doesn't support it and it's a bit tedious to make it work, although @FiloSottile was successful with his spike code.

Signed release assets

Thanks to heroic efforts by @mohammed90, our GitHub release assets are now signed and certified. Mohammed wrote an excellent Twitter thread explaining the whole thing better than I can here!

So if you're wondering why the number of assets shot from 28 to 134... that's why.

Other notable enhancements

  • More efficient query matcher. (04a14ee37ac6192d734518fa9082d6eb93971bc6)
  • A new Caddyfile placeholder {cookie.*} grants easy access to cookie values. (#5001)
  • Windows service integration: Caddy can now be controlled with sc.exe. (#4790)
  • Replace net.IP type with leaner netip.Addr type. (#4966)
  • Caddyfile-configurable OCSP check interval with ocsp_interval global option. (#4980)
  • The reverse proxy now supports retry_count as an alternative to try_duration; i.e. try backends up to a fixed number of times, rather than up to a time limit. (#4756)
  • The reverse proxy closes both ends of "hijacked" connections when shutting down or reloading. (#4895)
  • The reverse proxy gracefully closes both ends of websocket connections on shutdown or reload. (#4895)
  • The reverse proxy emits metrics regarding the health of upstreams. (#4935)
  • The reverse-proxy command can accept repeated --to flags and load balance. (#4693)
  • The reverse proxy's HTTP transport now supports distinct read and write timeouts. (#4905)
  • Simpler and more reliable config reloads on Linux with SO_REUSEPORT. (#4705)
  • Templates can access reverse proxy responses if used within handle_response. (#4871)
  • Builds now include git revision information when using go build. (#4931)
  • The file matcher (and try_files) now supports glob patterns. (#4993)
  • Named matchers in the Caddyfile can use CEL expressions without specifying expression first. (#4976)
  • The FastCGI transport can now capture and print stderr output. (#5004)
  • Listeners can be provided by plugins, enabling new network types. (#5002)
  • Caddy can write TLS secrets to a file for debugging purposes. (#4808)
  • Sites declared as http:// in the Caddyfile will no longer be overridden by auto-HTTPS redirects. (#5051)
  • Config reloads no longer block while the prior servers are shutting down. (#5043)

:warning: Deprecations/breaks

  • Metrics are now opt-in. Due to multiple confirmed reports of non-trivial performance regressions with metrics, we are making them opt-in. (Technically, this is not a breaking change, as Caddy will still function normally and your old configs won't be rejected -- but your metrics will stop being produced unless you enable them.) If you rely on metrics, you can enable them globally in the Caddyfile with global options: 
    {
	servers {
		metrics
	}
}
    As with other server-scoped global options, you can selectively customize which servers to enable metrics (e.g. servers :8080). Note that this change is experimental and might be temporary: if we can reduce the performance impact or find a better way to enable and configure metrics, this could change.
  • The signature of caddy.Context.Logger() has changed, but in a backwards-compatible way. Modules use this function to obtain a logger they can use within Caddy; until now, modules had to pass themselves in as an argument. Now, the context can figure out which module to associate the logger with, so the sole parameter has been made variadic. It may be removed in the future. Plugins should update their code to not pass in a pointer to themselves.
  • Basic auth deprecates scrypt because it was seldom used and error-prone; use bcrypt instead (#4720)
  • Several changes to experimental servers global options: removed the protocol sub-option, which has been replaced with the protocols sub-option; strict_sni_host is its own separate sub-option; allow_h2c and experimental_http3 have been removed, as both H2C (h2c) and HTTP/3 (h3) can be toggled in protocols (HTTP/3 is now enabled by default and no longer experimental).

As a reminder, features, parameters, and APIs marked as experimental are subject to change or removal. We strive to keep breaking changes of stable features to a minimum and gracefully deprecate whenever possible with emphasis in release notes, warnings in logs, etc. Most breaking changes are motivated or necessitated by bugs/regressions, security, or wrong/unclear documentation.

Thank you

As usual, a huge thank-you to all our sponsors and those who contributed both code and feedback. We also acknowledge the many people who participated in discussions and helped others on the forum. Thank you!

New Contributors

Full Changelog: https://github.com/caddyserver/caddy/compare/v2.5.2...v2.6.0

v2.6.0-beta.5

1 year ago

This release and beta.4 are mainly tests of our CI, but also contains a bunch of small fixes or enhancements, including, notably, the use of sendfile and other optimizations. See the release notes for beta.3 for everything else until 2.6.0 lands soon. Full release notes coming!

Please see v2.6.0 instead.

v2.6.0-beta.3

1 year ago

This is the first beta release for Caddy 2.6. Please try it out and report any regressions you notice! Thanks to everyone who helped out! :blush:

Beta 1 and beta 2 were trial runs for our CI upgrades, so this is technically beta 3. There are no code changes from beta 1 to beta 3. Thank you @mohammed90 for figuring out the CI magic!

Please see the v2.6.0 release.

Changelog: https://github.com/caddyserver/caddy/compare/v2.5.2...v2.6.0-beta.3

v2.5.2

1 year ago

This patch release fixes bugs, adds some new features, and makes worthwhile enhancements. We recommend everyone test and upgrade!

Many improvements have been made to the reverse_proxy module.

Highlights:

  • New /adapt admin endpoint: Use your installed config adapters via API in addition to the existing caddy adapt CLI command.
  • New Etag/If-Match support for config API: Safely update your config concurrently and avoid collisions by using our unique Etag implementation.
  • Rename copied headers from reverse_proxy: If you're using handle_response, you can more easily map headers to a different name for clients.
  • Many HTTP matchers have been added to CEL: You can now use the logic of our HTTP request matchers in CEL expressions.
  • Notable bug fixes: EAB reuse, various QUIC & HTTP/3 fixes, more specific HTTP status codes, various reverse proxy fixes.

Changelog

  • 660c59b6 admin: Implement /adapt endpoint (close #4465) (#4846)
  • ad3a83fb admin: expect quoted ETags (#4879)
  • f259ed52 admin: support ETag on config endpoints (#4579)
  • 1498132e caddyhttp: Log error from CEL evaluation (fix #4832)
  • 0a14f97e caddytls: Make peer certificate verification pluggable (#4389)
  • 412dcc07 caddytls: Reuse issuer between PreCheck and Issue (#4866)
  • 499ad6d1 core: Micro-optim in run() (#4810)
  • c0f76e9e fileserver: Use safe redirects in file browser
  • 58e05cab forwardauth: Fix case when copy_headers is omitted (#4856)
  • 0b6f7643 forwardauth: Support renaming copied headers, block support (#4783)
  • 8bac134f go.mod: Bump up quic-go to v0.28.0, fixes for BC breaks (#4867)
  • 3d18bc56 go.mod: Update go-yaml to v3
  • 56013934 go.mod: Update some dependencies
  • 8e6bc360 go.mod: Upgrade some dependencies
  • 53c4d788 headers: Only replace known placeholders (#4880)
  • 0bcd02d5 headers: Support wildcards for delete ops (close #4830) (#4831)
  • 58970cae httpcaddyfile: Add {err.*} placeholder shortcut (#4798)
  • b687d7b9 httpcaddyfile: Support multiple values for default_bind (#4774)
  • a9267791 reverseproxy: Add --internal-certs CLI flag #3589 (#4817)
  • aaf6794b reverseproxy: Add renegotiation param in TLS client (#4784)
  • 54d1923c reverseproxy: Adjust new TLS Caddyfile directive names (#4872)
  • 7f9b1f43 reverseproxy: Correct the tls_server_name docs (#4827)
  • c82fe911 reverseproxy: Dynamic ServerName for TLS upstreams (#4836)
  • d6bc9e0b reverseproxy: Err 503 if all upstreams unavailable
  • 98468af8 reverseproxy: Fix double headers in response handlers (#4847)
  • 25f10511 reverseproxy: Fix panic when TLS is not configured (#4848)
  • 5e729c1e reverseproxy: HTTP 504 for upstream timeouts (#4824)
  • f9b42c37 reverseproxy: Make TLS renegotiation optional
  • b6e96fa3 reverseproxy: Skip TLS for certain configured ports (#4843)
  • 57d27c1b reverseproxy: Support http1.1>h2c (close #4777) (#4778)
  • 9864b138 reverseproxy: api: Remove misleading 'healthy' value
  • 693e9b52 rewrite: Handle fragment before query (fix #4775)
  • 6891f7f4 templates: Add humanize function (#4767)
  • 9e760e2e templates: Documentation consistency (#4796)

New Contributors

Full Changelog: https://github.com/caddyserver/caddy/compare/v2.5.1...v2.5.2

v2.5.1

2 years ago

This is a minor patch release that fixes some bugs and also enhances reverse_proxy with capabilities that weren't ready in time for v2.5.0.

Highlights

  • Fixed regression in Unix socket admin endpoints.
  • Fixed regression in caddy trust commands.
  • Hash-based load balancing policies (ip_hash, uri_hash, header, and cookie) use an improved highest-random-weight (HRW) algorithm for increased consistency. The new rendezvous hash will ensure a client or request is consistently mapped to a particular upstream even if the list of upstreams changes.
  • The reverse proxy is now able to rewrite the method and URI on its internal copy of the request that goes to the upstream. Combined with new handle_response capabilities, this enables the reverse proxy to fire off "pre-check requests" (for lack of a better term) to make routing decisions based on the results of that call. This enables a commonly-emerging pattern called forward authentication wherein a backend is queried to assess a client's authorization to be proxied. The full, verbose config for this is very flexible but tedious, so we made a new wrapper directive called forward_auth that eliminates the boilerplate (very similar to the php_fastcgi directive):
forward_auth authelia:9091 {
	uri /api/verify?rd=https://auth.example.com
	copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}

This works with authentication providers like Authelia, and more.

What's Changed

New Contributors

Changelog

  • ec86a2f7 caddyfile: Shortcut for remote_ip for private IP ranges (#4753)
  • dcc98da4 caddyhttp: Improve listen addr error message for IPv6 (#4740)
  • d543ad1f caddypki: Fix caddy trust command to use the correct API endpoint (#4730)
  • 2e4c0915 cmd: Fix unix socket addresses for admin API requests (#4742)
  • af732151 httpcaddyfile: Fix duplicate access log when debug is on (#4746)
  • 0be3d995 logging: Implement rename filter, changes field key names (#4745)
  • 3017b245 logging: Use RedirectStdLog to capture more stdlib logs (#4732)
  • f7be0ee1 map: Prevent output destinations overlap with Caddyfile shorthands (#4657)
  • 4a223f52 reverseproxy: Fix Caddyfile support for replace_status (#4754)
  • 40b193fb reverseproxy: Improve hashing LB policies with HRW (#4724)
  • e7fbee8c reverseproxy: Permit resolver addresses to not specify a port (#4760)
  • f6900fcf reverseproxy: Support performing pre-check requests (#4739)
  • e84e19a0 templates: Add custom template function registration (#4757)
  • 3ab64838 templates: Add missing backticks in docs (#4737)

Full Changelog: https://github.com/caddyserver/caddy/compare/v2.5.0...v2.5.1

v2.5.0

2 years ago

Caddy 2.5 introduces new features you'll love as well as a huge number of bug fixes and enhancements. Thank you to everyone who contributed!

Feel free to ask on the forum if you have any questions or feedback.

Highlights

  • Reverse proxy: :sparkles: Dynamic upstreams, which is the ability to get the list of upstreams at every request (more specifically, every iteration in the proxy loop of every request) rather than just once at config-load time. Dynamic upstream modules can be plugged in to provide Caddy with the latest list of backends in real-time. Two standard modules have been implemented which can get upstreams from SRV and A/AAAA record lookups.
    • :warning: This deprecates the lookup_srv JSON field for upstreams (and srv+ scheme prefix in the Caddyfile), which will be removed in the future.
  • Automatic HTTPS: Caddy will automatically try to get relevant certificates from the local Tailscale instance (if running with permission to access the Tailscale socket). This makes services running on a Tailscale network automatically available over trusted HTTPS with Caddy.
  • Tracing: New OpenTelemetry integration with the tracing handler module and associated tracing directive.
  • Reverse proxy: When using the response handlers, a new handler copy_response is available to copy the proxy's response back to the client, and copy_response_headers may be used to selectively copy header values from the proxy's response.
  • API: Added new endpoints /pki/ca/<id> and /pki/ca/<id>/certificates for getting information about Caddy's managed CAs, including the chain of root and intermediate certificates.

Notable

  • Reverse proxy: The X-Forwarded-Host header will now be automatically set, along with X-Forwarded-For and X-Forwarded-Proto.
  • :warning: Reverse proxy: Incoming X-Forwarded-* headers will no longer be automatically trusted, to prevent spoofing. Now, trusted_proxies must be configured to specify a list of downstream proxies which are trusted to have sent good values. You only need to configure trusted proxies if Caddy is not the first server being connected to. For example, if you have Cloudflare in front of Caddy, then you should configure this with Cloudflare's list of IP ranges.
  • Automatic HTTPS: Revoked certificates will be automatically replaced more reliably.
  • Automatic HTTPS: Can now get certificates from Managers. As opposed to Issuers (such as the default ACME issuers) which give Caddy certificates to manage from a CSR, Managers give Caddy certificates to serve (rather than manage) during TLS handshakes.
  • Automatic HTTPS: A DNS challenge domain override can be configured to delegate the solving of the challenge to a different domain.
  • Automatic HTTPS: The DNS challenge propagation checks can now be delayed or disabled by setting propagation_delay or propagation_timeout to -1, respectively.
  • Reverse proxy: The default dial timeout for the HTTP transport has been adjusted down to 3s (was 10s), which should allow for more easily configuring load balancing retries.
  • Logging: HTTP access logs will now render empty values for often-sensitive HTTP headers such as Cookie, Authorization, and Proxy-Authorization. Logging such credentials is now opt-in with the log_credentials global option in the Caddyfile, or the server's logs > should_log_credentials field in JSON.
  • Logging: Logs can now be filtered by query string parameters, cookie values, and regular expressions; and log values can be hashed. These features are useful for redacting sensitive information.
  • Logging: Errors during request handling will now be logged at DEBUG level if the error was handled via errors routes (handle_errors in Caddyfile).
  • :warning: Logging: Removed the deprecated common_log field from HTTP access logs, and the single_field encoder. If you relied on this, you may use the transform encoder plugin to encode logs in Common Log format.
  • :warning: Logging: The remote_addr field has been replaced by remote_ip and remote_port fields in HTTP access logs, which split up the two parts of the remote address. This improves ease of use for some tooling which only expect an IP address, without a port.
  • HTTP server: The vars matcher can now match on multiple possible values.
  • HTTP server: Requests can now be assigned a random and unique UUID from the new {http.request.uuid} placeholder.
  • HTTP server: New http_redirect listener wrapper which can be used to redirect HTTP requests that come in on a server listening for HTTPS requests to be redirected to https://.
  • :warning: Caddyfile: Deprecated paths in site addresses. Prefer using path matchers within your site block instead.
  • Caddyfile: New default_bind global option lets you specify the default interface all sockets should bind to.
  • Caddyfile: New pki global option lets you configure the properties of the internal CAs managed by Caddy.
  • Caddyfile: New method directive allows rewriting the request method via Caddyfile.
  • :warning: Caddyfile: The reverse_proxy directive's handle_response subdirective has had its status replacement functionality moved to a new replace_status subdirective. This makes sure that the functionality of handle_response is not overloaded, and usage is clearer.
  • Caddyfile: The map directive now casts outputs to the appropriate scalar type if possible (int, float, bool). If you need to force a string, you may use double quotes or backticks https://github.com/caddyserver/caddy/pull/4643.
  • Caddyfile: New vars directive allows setting some variables during request handling for later use in another handler or matcher.
  • Caddyfile: The Caddyfile adapter is now stricter about curly braces for block openers to try to prevent parsing ambiguities.
  • Caddyfile: The caddy fmt CLI command now has a --diff option which lets you visually see the formatting differences.
  • :warning: Admin: Renamed experimental property load_interval :arrow_right: load_delay for clarification, and improved dynamic config loading.

:shield: Thanks to David Leadbeater for reporting a security vulnerability related to HTTP methods and metrics cardinality, which was fixed in this release.

New Contributors

Changelog

  • 2e46c2ac admin, reverseproxy: Stop timers if canceled to avoid goroutine leak (#4482)
  • 40b54434 admin: Enforce and refactor origin checking
  • b4bfa29b admin: Require identity for remote (fix #4478)
  • 32aad909 admin: Write proper status on invalid requests (#4569) (fix #4561)
  • ff137d17 caddyconfig: Support placeholders in HTTP loader
  • b47af6ef caddyfile: Copy input before parsing (fix #4422)
  • e90d7517 caddyfile: impove fmt warning message (#4444)
  • 5e5af50e caddyfile: make renew_interval option configurable (#4451)
  • ddbb234d caddyhttp: Always log handled errors at debug level (#4584)
  • 6b385a36 caddyhttp: Don't attempt to manage Tailscale certs
  • ecac03cd caddyhttp: Enhance vars matcher (#4433)
  • 6e6ce2be caddyhttp: Fix HTTP->HTTPS redir not preferring HTTPS port if ambiguous (#4530)
  • 3fe2c73d caddyhttp: Fix MatchPath sanitizing (#4499)
  • 44e5e9e4 caddyhttp: Fix test when /tmp/etc already exists (#4544)
  • 2bb8550a caddyhttp: Honor wildcard hosts in log SkipHosts (#4606)
  • 180ae0cc caddyhttp: Implement http.request.uuid placeholder (#4285)
  • 7d5047c1 caddyhttp: Log empty value for typical password headers
  • eead3373 caddyhttp: Log non-500 handler errors at debug level (#4429)
  • 5bf0adad caddyhttp: Make logging of credential headers opt-in (#4438)
  • 186fdba9 caddyhttp: Move HTTP redirect listener to an optional module (#4585)
  • 80d7a356 caddyhttp: Redirect HTTP requests on the HTTPS port to https:// (#4313)
  • bf380d00 caddyhttp: Reject absurd methods (#4538)
  • 850e1605 caddyhttp: Return HTTP 421 for mismatched Host header (#4023)
  • f55b123d caddyhttp: Split up logged remote address into IP and port (#4403)
  • ac14b64e caddyhttp: Support zone identifiers in remote_ip matcher (#4597)
  • a1c41210 caddypki: Minor tweak, don't use context pointer
  • 78e381b2 caddypki: Refactor /pki/ admin endpoints
  • c634bbe9 caddypki: Return error if no PEM data found
  • 9b7cdfa2 caddypki: Try to fix lint warnings
  • a79b4055 caddytls: Add internal Caddyfile lifetime, sign_with_root opts (#4513)
  • 77a77c02 caddytls: Add propagation_delay, support propagation_timeout -1 (#4723)
  • 66de438a caddytls: Fix MatchRemoteIP provisoning with multiple CIDR ranges (#4522)
  • 57a708d1 caddytls: Support external certificate Managers (like Tailscale) (#4541)
  • d9b1d463 caddytls: dns_challenge_override_domain for challenge delegation (#4596)
  • 1a7a78a1 cmd: Print error if fmt overwrite fails (fix #4524)
  • bc447e30 core: Config LoadInterval -> LoadDelay for clarity
  • 7ea5b2a8 core: Config load interval only reloads if changed (#4603)
  • 7f364c77 core: Load config at interval instead of just once
  • a72acd21 core: Retry dynamic config load if config unchanged
  • ceef70db core: Retry dynamic config load if error or no-op (#4603)
  • acbee947 core: Revert 7f364c7; simplify dynamic config load
  • 64a3218f core: Simplify shared listeners, fix deadline bug
  • 8e5aafa5 fastcgi: Fix a TODO, prevent zap using reflection for logging env (#4437)
  • c8f2834b fastcgi: Protect against requests with null bytes in the path (#4614)
  • de490c7c fastcgi: Set SERVER_PORT to 80 or 443 depending on scheme (#4572)
  • 09ba9e99 fileserver: Add pass_thru Caddyfile option (#4613)
  • 15c95e9d fileserver: Canonical redir when whole path is stripped (#4549)
  • c8b5a816 fileserver: Fix handling of symlink sizes in directory listings (#4415)
  • e81369e2 fileserver: Move default browse template into a separate file (#4417)
  • 1e10f6f7 fileserver: browse: do not encode the paths in breadcrumbs and page title (#4410)
  • 78b5356f fileserver: do not double-escape paths (#4447)
  • 0de51593 go.mod: Revert version bump of CEL (#4587)
  • 6f9b6ad7 go.mod: Update smallstep/certificates, no longer need replace (#4475)
  • 4906b935 go.mod: Update smallstep/truststore, fix build on FreeBSD (#4473)
  • c1331534 go.mod: Update to latest smallstep/truststore, support FreeBSD (#4453)
  • ff74a0aa go.mod: Upgrade dependencies
  • e9dde230 headers: Fix + in Caddyfile to properly append rather than set (#4506)
  • 1b7ff5d7 httpcaddyfile: Add default_bind global option (#4531)
  • a8bb4a66 httpcaddyfile: Add {vars.*} placeholder shortcut, reverse vars sort order (#4726)
  • 5a071568 httpcaddyfile: Add pki app root and intermediate cert/key config (#4514)
  • 3a1e0dbf httpcaddyfile: Deprecate paths in site addresses; use zap logs (#4728)
  • 26d633ba httpcaddyfile: Disabling OCSP stapling for both managed and unmanaged (#4589)
  • 93a7a45e httpcaddyfile: Fix incorrect handling of IPv6 bind addresses (#4532)
  • 81ee34e9 httpcaddyfile: Fix sorting edgecase for nested handle_path (#4477)
  • 4b9849c7 httpcaddyfile: Support configuring pki app names via global options (#4450)
  • 5bd96a6a httpcaddyfile: Support explicitly turning off strict_sni_host (#4592)
  • c921e082 logging: Add roll_local_time Caddyfile option (#4583)
  • 0eb0b60f logging: Remove common_log field and single_field encoder (#4149) (#4282)
  • 249adc1c logging: Support turning off roll compression via Caddyfile (#4505)
  • 8887adb0 logging: add a filter for cookies (#4425)
  • bcac2bee logging: add a filter for query parameters (#4424)
  • 789efa5d logging: add a regexp filter (#4426)
  • a1b417c8 logging: add support for hashing data (#4434)
  • eb891d46 metrics: Enforce smaller set of method labels
  • c04d24ca pki: Avoid provisioning the local CA when not necessary (#4463)
  • bbad6931 pki: Implement API endpoints for certs and caddy trust (#4443)
  • 9ee68c1b reverseproxy: Adjust defaults, document defaults (#4436)
  • 7557d1d9 reverseproxy: Avoid returning a nil error during GetClientCertificate (#4550)
  • ab045592 reverseproxy: Dynamic upstreams (with SRV and A/AAAA support) (#4470)
  • 5333c352 reverseproxy: Fix incorrect health_headers Caddyfile parsing (#4485)
  • c50094fc reverseproxy: Implement trusted proxies for X-Forwarded-* headers (#4507)
  • f5e10494 reverseproxy: Make shallow-ish clone of the request (#4551)
  • 87a1f228 reverseproxy: Move status replacement intercept to replace_status (#4300)
  • d058dee1 reverseproxy: Refactor dial address parsing, augment command parsing (#4616)
  • c7d6c4cb reverseproxy: copy_response and copy_response_headers for handle_response routes (#4391)
  • bcb7a19c rewrite: Add method Caddyfile directive (#4528)
  • 1feb6595 rewrite: Fix a double-encode issue when using the {uri} placeholder (#4516)
  • 6cadb60f templates: Document .OriginalReq
  • 1d0425b2 templates: Elaborate on what's supported by the markdown function (#4564)
  • a6199cf8 templates: Fix docs for .Args
  • ec14ccdd templates: fix inconsistent nested includes (#4452)
  • d0b608af tracing: New OpenTelemetry module (#4361)
  • 134b8056 caddyfile: Prevent bad block opening tokens (#4655)
  • c5fffb4a caddyfile: Support for raw token values; improve map, expression (#4643)
  • b82e22b4 caddyhttp: retain all values of vars matcher when specified multiple times (#4629)
  • bc15b4b0 caddypki: Load intermediate for signing on-the-fly (#4669)
  • 6512832f cmd: Add --diff option for caddy fmt (#4695)
  • 30b6d1f4 cmd: Enhance .env (dotenv) file parsing
  • 22d8edb9 cmd: Fix defaulting admin address if empty in config, fixes reload (#4674)
  • c2327161 cmd: Set Origin header properly on API requests
  • d06d0e79 go.mod: Upgrade CertMagic to v0.16.0
  • bf6a1b75 go.mod: Upgrade some dependencies
  • 79cbe7bf httpcaddyfile: Add 'vars' directive
  • a58f240d httpcaddyfile: Fix #4640 (auto-HTTPS edgecase) (#4661)
  • 7d229665 logging: Caddyfile support for duration_format (#4684)
  • 55b4c12e map: Evaluate placeholders in output vals (#4650)
  • 93c99f67 map: Support numeric and bool types with Caddyfile
  • 3d616e8c requestbody: Return HTTP 413 (fix #4558)
  • 3e3bb002 reverseproxy: Add _ms placeholders for proxy durations (#4666)
  • 2196c92c reverseproxy: Don't clear name in SRV upstreams
  • dc4d1473 reverseproxy: Expand SRV/A addrs for cache key
  • b8dbecb8 reverseproxy: Include port in A upstreams cache
  • e4ce40f8 reverseproxy: Sync up handleUpgradeResponse with stdlib (#4664)
  • afca2421 staticfiles: Expand placeholder for index files (#4679)
  • 00234c8a templates: Switch to BurntSushi/toml (#4700)

Full Changelog: https://github.com/caddyserver/caddy/compare/v2.4.6...v2.5.0

v2.5.0-rc.1

2 years ago

Please see the release notes for v2.5.0. In fact, just use v2.5.0 instead.

Interim Changelog: https://github.com/caddyserver/caddy/compare/v2.5.0-beta.1...v2.5.0-rc.1