Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
Caddy 2.5 introduces new features you'll love as well as a huge number of bug fixes and enhancements. Thank you to everyone who contributed!
Feel free to ask on the forum if you have any questions or feedback.
lookup_srv
JSON field for upstreams (and srv+
scheme prefix in the Caddyfile), which will be removed in the future.tracing
handler module and associated tracing
directive.copy_response
is available to copy the proxy's response back to the client, and copy_response_headers
may be used to selectively copy header values from the proxy's response./pki/ca/<id>
and /pki/ca/<id>/certificates
for getting information about Caddy's managed CAs, including the chain of root and intermediate certificates.X-Forwarded-Host
header will now be automatically set, along with X-Forwarded-For
and X-Forwarded-Proto
.X-Forwarded-*
headers will no longer be automatically trusted, to prevent spoofing. Now, trusted_proxies
must be configured to specify a list of downstream proxies which are trusted to have sent good values. You only need to configure trusted proxies if Caddy is not the first server being connected to. For example, if you have Cloudflare in front of Caddy, then you should configure this with Cloudflare's list of IP ranges.propagation_delay
or propagation_timeout
to -1, respectively.3s
(was 10s
), which should allow for more easily configuring load balancing retries.log_credentials
global option in the Caddyfile, or the server's logs > should_log_credentials
field in JSON.DEBUG
level if the error was handled via errors
routes (handle_errors
in Caddyfile).common_log
field from HTTP access logs, and the single_field
encoder. If you relied on this, you may use the transform encoder plugin to encode logs in Common Log format.remote_addr
field has been replaced by remote_ip
and remote_port
fields in HTTP access logs, which split up the two parts of the remote address. This improves ease of use for some tooling which only expect an IP address, without a port.vars
matcher can now match on multiple possible values.{http.request.uuid}
placeholder.http_redirect
listener wrapper which can be used to redirect HTTP requests that come in on a server listening for HTTPS requests to be redirected to https://
.default_bind
global option lets you specify the default interface all sockets should bind to.pki
global option lets you configure the properties of the internal CAs managed by Caddy.method
directive allows rewriting the request method via Caddyfile.reverse_proxy
directive's handle_response
subdirective has had its status replacement functionality moved to a new replace_status
subdirective. This makes sure that the functionality of handle_response
is not overloaded, and usage is clearer.map
directive now casts outputs to the appropriate scalar type if possible (int, float, bool). If you need to force a string, you may use double quotes or backticks https://github.com/caddyserver/caddy/pull/4643.vars
directive allows setting some variables during request handling for later use in another handler or matcher.caddy fmt
CLI command now has a --diff
option which lets you visually see the formatting differences.load_interval
:arrow_right: load_delay
for clarification, and improved dynamic config loading.:shield: Thanks to David Leadbeater for reporting a security vulnerability related to HTTP methods and metrics cardinality, which was fixed in this release.
MatchPath
sanitizing (#4499)lifetime
, sign_with_root
opts (#4513)propagation_delay
, support propagation_timeout -1
(#4723)MatchRemoteIP
provisoning with multiple CIDR ranges (#4522)pass_thru
Caddyfile option (#4613)+
in Caddyfile to properly append rather than set (#4506)default_bind
global option (#4531){vars.*}
placeholder shortcut, reverse vars
sort order (#4726)root
and intermediate
cert/key config (#4514)handle_path
(#4477)pki
app names via global options (#4450)strict_sni_host
(#4592)roll_local_time
Caddyfile option (#4583)local
CA when not necessary (#4463)caddy trust
(#4443)nil
error during GetClientCertificate (#4550)health_headers
Caddyfile parsing (#4485)X-Forwarded-*
headers (#4507)replace_status
(#4300)method
Caddyfile directive (#4528){uri}
placeholder (#4516)map
, expression
(#4643)--diff
option for caddy fmt
(#4695)reload
(#4674)duration_format
(#4684)_ms
placeholders for proxy durations (#4666)handleUpgradeResponse
with stdlib (#4664)BurntSushi/toml
(#4700)Full Changelog: https://github.com/caddyserver/caddy/compare/v2.4.6...v2.5.0
Please see the release notes for v2.5.0. In fact, just use v2.5.0 instead.
Interim Changelog: https://github.com/caddyserver/caddy/compare/v2.5.0-beta.1...v2.5.0-rc.1
Please see the release notes for v2.5.0-rc.1. In fact, just use v2.5.0-rc.1 instead.
Interim Changelog: https://github.com/caddyserver/caddy/compare/v2.4.6...v2.5.0-beta.1
This release contains bug fixes and minor enhancements, including one patch with potential security implications related to path matching.
Notable patches:
map
handlerNotable enhancements:
try_files
can now accept =nnn
(e.g. =404
) to yield a status code instead of a file.httpError
(stop eval and return HTTP error) and import
(like include
but changes template context) were added{http.request.tls.client.certificate_der_base64}
749e55c7 caddycmd: Add --keep-backup
to upgrade commands (#4387)
062657d0 caddycmd: Add --skip-standard
to list-modules
command, quieter output (#4386)
be5f77e8 caddycmd: fix caddy validate/fmt help message (#4377)
907e2d8d caddyhttp: Add support for triggering errors from try_files
(#4346)
cbb045a1 caddyhttp: Placeholder for client cert in DER + base64 format (#4241)
e7457b43 caddyhttp: Sanitize the path before evaluating path matchers (#4407)
837cdc56 caddyhttp: reverseproxy: clarify warning for -insecure (#4379)
24fda751 caddytls: Mark storage clean timestamp at end of routine (#4401)
a779e1b3 fastcgi: Fix Caddyfile parsing when handle_response
is used (#4342)
3f2c3ecf fastcgi: Implement try_files
override in Caddyfile directive (#4347)
64f8b557 fileserver: Fix compression breaks using httpInclude (#4352) (#4358)
d3a02599 fileserver: Fix displayed file size if it is symlink (#4354)
0a5f7a67 fileserver: Make file listing links purple once visited (#4356)
a21d5a00 fileserver: Prevent focusing filter from scrolling on page load (#4393)
33c70f41 fileserver: properly handle escaped/non-ascii paths (#4332)
c4790d7f go.mod: Carefully upgrade some dependencies (fix #4251)
997e41de go.mod: Replace promptui with Apache-compatible fork (fix #4394)
f376a38b go.mod: Update ACMEz and CertMagic
a4372066 headers: Canonicalize case in replace (fix #4330)
012d2353 httpcaddyfile: Empty tls policy for internal http localhost (#4398)
0ffb2229 httpcaddyfile: Preserve IPv6 addresses through normalization (fix #4381)
a2119c09 map: Fix 95c03506 (avoid repeated expansions)
95c03506 map: Fix regex mappings
3336faf2 reverseproxy: Log error at error level (fix #4360)
b0920615 reverseproxy: Prevent copying the response if a response handler ran (#4388)
f73f55db reverseproxy: Sanitize scheme and host on incoming requests (#4237)
5fda9610 templates: Add 'import' action (#4321)
16f75212 templates: Add tests for funcInclude and funcImport (#4357)
2392478b templates: Propagate httpError to HTTP response
A hotfix for a regression introduced in v2.4.4 related to combining the encode
and reverse_proxy
directives. Please see the v2.4.4 release notes for a more complete changelog.
9f6393c6 cmd: export CaddyVersion(), Commands() (#4316) 4ebf100f encode: ignore flushing until after first write (#4318) 46ab93be go.mod: Update CertMagic
This release contains numerous bug fixes, updated dependencies, and QoL improvements.
Update: This release contains a known regression in the combination of encode
and reverse_proxy
modules; please use v2.4.5 instead.
Thanks to all contributors, and a special thanks to @francislavoie and @Mohammed90 for their dedication in helping to maintain the project and help others.
0bdb8aa8 acmeserver: Don't set host for directory links by default
2de7e14e acmeserver: Trim slashes from path prefix
c131339c admin: Implement load_interval to pull config on a timer (#4246)
a10910f3 admin: Sync server variables (fix #4260) (#4274)
51f125bd caddyfile: Better error message for missing site block braces (#4301)
d74913f8 caddyfile: Error on invalid site addresses containing comma (#4302)
b6f51254 caddyfile: keep error chain info in Dispenser.Errf (#4233)
1c6c7714 caddyhttp: Fix edgecase with auto HTTP->HTTPS logic (#4243)
42e140b1 caddyhttp: Fix incorrect determination of gRPC protocol (#4236)
c1cd192e caddyhttp: Updated the documentation for MatchQuery (#4295)
81e53180 caddytls: Remove "IssuerRaw" field
ce5a45db cmd: Fix paths when using an env file (#4296)
68c5c716 cmd: New add-package
and remove-package
commands (#4226)
9e333c39 cmd: use net.ErrClosed for matching returned error (#4289)
1b1e625c core: Unix ns and Unix ms time placeholders (#4280)
69c91448 encode: Tweak compression settings (#4215)
4245ceb6 fileserver: Add disable_canonical_uris
Caddyfile subdirective (#4222)
191dc86f fileserver: Clarify docs about canonicalization
9e16e80f fileserver: Fix browse name_dir_first sorting (#4218)
885a9aaf go.mod: Update dependencies (close #4216)
f43fd6f3 go.mod: Upgrade CertMagic to v0.14.4
84b906a2 go.mod: Upgrade some dependencies
ab32440b httpcaddyfile: Add shortcut for proxy hostport placeholder (#4263)
b3d35a49 httpcaddyfile: Don't put localhost in public APs (fix #4220)
569ecdbd httpcaddyfile: Ensure hosts to skip for logs can always be collected (#4258)
bfbc459c httpcaddyfile: Improve unrecognized directive errors
403732c4 httpcaddyfile: Reorder some directives (#4311)
46d99aba logging: Add missing interface guards for replace filter (#4244)
124ba1ba logging: Prep for common_log
removal (#4149)
8a974a4f logging: Warn for deprecated single_field encoder
e6c29ce0 reverseproxy: Incorporate latest proxy changes from stdlib (#4266)
d8822110 reverseproxy: Keep path to unix socket as dial address (#4232)
f70a7578 reverseproxy: Remove redundant flushing (#4299)
Guess what: this is our 100th release! :tada: :partying_face: :confetti_ball:
A bug fix for the bug fix, and a couple other bug fixes, including one security fix for PHP sites. We think all users should upgrade after giving it a whirl in their test environments. Please note some changes in this patch:
reverse_proxy
, the max_idle_conns_per_host
option has been removed (both Caddyfile and JSON). This may be a breaking change for a few of you, but it only breaks configs that relied on a bug. Instead of silently failing, you will get an error if you continue using the property. For Caddyfile, we basically renamed the property to keepalive_idle_conns_per_host
. In JSON, we simply removed the property, and you should instead set keep_alive/max_idle_conns_per_host
if you weren't already. Previously, the Caddyfile subdirective set both MaxConnsPerHost and MaxIdleConnsPerHost, which was confusing; and the JSON properties overwrote each other, so one was removed. Issue #4201.file_server
. v2.4.2 introduced a bugfix (#4179) for these redirects when used inside handle_path
(i.e. rewriting the path by stripping a prefix), but caused a regression for many other use cases. This release includes a proper fix for all known, tested cases. Basically: these redirects are not issued if the filename of a path was rewritten internally. Issue #4205.9d4ed3a3 caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207) e8ae80ad fileserver: Don't persist parsed template (fix #4202) fbd65609 fileserver: Only redirect if filename not rewritten (fix #4205) 32c284b5 reverseproxy: Adjust test related to #4201 7c68809f reverseproxy: Fix overwriting of max_idle_conns_per_host (closes #4201)
A few enhancements and bug fixes. Thanks to all who contributed to this release!
323ffd20 admin: Replace admin cert cache when reloading (fix #4184)
4c2da188 caddytls: Add Caddyfile support for propagation_timeout
(#4178)
76913b19 fileserver: Fix browse not redirecting query parameters (#4196)
f9b54454 fileserver: Redirect within the original URL (#4179)
ecd5eeab go.mod: Update direct dependencies
89aa3a5e go.mod: Use CertMagic v0.14.0 (fix #4191)
1e92258d httpcaddyfile: Add preferred_chains
global option and issuer subdirective (#4192)
658772ff httpcaddyfile: Add skip_install_trust
global option (#4153)
05656a60 httpcaddyfile: Don't add HTTP hosts to TLS APs (fix #4176 and fix #4198)
94b71200 logging: Actually use level_key
(#4189)
7b500e74 metrics: use buildinfo collector from new collectors pkg (#4187)
2a810946 reverseproxy: Always remove hop-by-hop headers
A small patch release that contains a few noncritical but pleasant fixes (unless you're using /id/
endpoints in the admin API; then you should definitely get this update).
7f26a6b3 admin: Reinstate internal redirect for /id/ requests
b82db994 caddyfile: Add parse error on site address with trailing {
(#4163)
2aefe156 cmd: upgrade: inherit the permissions of the original executable (#4160)
dbe164d9 httpcaddyfile: Fix automation policy consolidation again (fix #4161)
e3c369d4 logging: Implement dial timeout for net writer (fix #4083) (#4172)
aef8d4de reverseproxy: Set the headers in the replacer before handle_response
(#4165)
Caddy v2.4.0 is our first stable release of 2021, ushering in over 110 patches including new features and bug fixes. Thank you to the many contributors who helped make this possible!
Highlights:
caddy upgrade
command will replace the current Caddy binary with an upgraded one from our website, with all the same modules installed, including third-party plugins that are registered on our site! (We can use this code to add/remove modules later, too.)fmt
lint check. When running with a Caddyfile, Caddy will emit a warning if the Caddyfile is not formatted with caddy fmt
.abort
directive. The abort
directive is a special case of the static_response
HTTP handler that prevents an HTTP response by aborting the handler chain immediately and forcefully closing the connection.error
directive. The error
directive returns internal error values in the HTTP handler chain, as if an HTTP error had occurred, causing your error routes to be invoked.handle_response
.caddy list-modules
output. Now modules are organized by standard and non-standard modules, so you can easily see if a Caddy build has been customized.logfmt
log encoder. It was broken anyways, and its deprecation has been warned in previous releases.common_log
format. It will be removed in a future release. Issue #4148health_path
in reverse_proxy
directive. It has been replaced with health_uri
and will be removed in the future.I've started writing high-quality, in-depth chatpers about how to get the most out of Caddy in my new Expert Caddy series, exclusively for sponsors! If you or your company are sponsoring, you can have access to this content, which I'll continue adding to over time.
If you aren't sponsoring yet, please do so! Sponsorships fund my full-time development of Caddy, and that's especially vital if your business relies on Caddy.
For a detailed list of all commits since v2.3.0, please refer to prior pre-release changelogs.
bc221024 caddyfile: Fix caddy fmt
nesting not decrementing (#4157)
d4b2f1bc caddyhttp: Fix fallback for the error handler chain (#4131)
61642b76 caddytls: Run replacer on ask URL, for env vars (#4154)
77764714 encode: Default to order the formats are enabled for prefer
in Caddyfile (#4151)
f5db41ce encode: Drop prefer
from Caddyfile (#4156)
74f5d66c fileserver: Fix file
matcher with empty try_files
(#4147)
3cf443f0 httpcaddyfile: Add grace_period
global option (#4152)
a17c3b56 reverseproxy: Minor logging improvements