Skip to content

Releases: caddyserver/caddy

v2.3.0

01 Jan 00:02
v2.3.0
1b453dd
Compare
Choose a tag to compare

Caddy 2.3 is the first web server to be able to get certificates from multiple issuers (for redundancy)! We've also optimized several things for large-scale deployments, as there are businesses using Caddy to serve tens of thousands of sites per instance.

The main highlights of this release include:

  • Multi-issuer support. Caddy can now get certificates from multiple issuers for redundancy; if one fails, another will be tried. Caddy's new defaults are Let's Encrypt and ZeroSSL. You can customize these, including adding local/self-signed certificates as a last resort if desired. Caddy is the first web server to support multiple issuers, offering unrivaled reliability for your site's HTTPS. It is the first ACME client to support multiple CA fallbacks.

  • Improved on-demand TLS. On-demand TLS is an operating mode by which certificate obtain/renew operations are triggered on a TLS handshake that requires them, rather than happening at config-load time. We've moved a lot of the processing to the background where possible (e.g. when an existing certificate is still usable) so more connections will finish their handshakes faster, and fewer handshakes will fail (however, you still need to watch the logs and fix the errors before it's too late). Several businesses we know of currently rely on this unique feature at a scale of tens of thousands of sites.

  • Support for alternate certificate chains. You can now customize which certificate chains to download from ACME servers that offer more than one.

  • New map handler is ready for production use. (Caddyfile docs) It's been in Caddy for a few versions now but it's finally ready for production, with enhanced efficiency and functionality. We have been using this handler with a customer in production for a while now, on an instance that is handling thousands of sites.

  • Customize servers and listeners with the Caddyfile. The Caddyfile structure is oriented around sites for convenience, so customizing servers has not been possible until now. You can now use global options to configure servers and their listeners (for example, protocol options, socket read options, and more) without having to use JSON config.

Of course, there are also numerous bug fixes and other enhancements, including bringing more configuration options into the Caddyfile. Thank you to everyone who contributed code, code reviews, or participated in the pre-releases.

There are a couple of minor breaking changes, but one was not documented and the other has always been an experimental feature:

  • ⚠️ The remote_ip matcher no longer reads the X-Forwarded-For header by default. This was undocumented behavior, and an unsafe default. If you happened to be relying on this, please enable forwarded (in the Caddyfile, just put forwarded as the first argument before the ranges) to maintain that behavior. Remember that headers are very easy to spoof.

  • ⚠️ The experimental_http3 global option in the Caddyfile has been replaced with global server options, one of which is the experimental_http3 protocol. Docs will be updated shortly. This is still an unstable feature until HTTP/3 is finalized and our upstream QUIC/H3 lib is stable and we've decided to keep HTTP/3 enabled in the core by default.

  • ⚠️ The "issuer" field in TLS automation policies is deprecated and will be removed in the future, please switch to "issuers".

Along with this release, we've taken the opportunity to consolidate our documentation regarding getting/installing Caddy. There is no more /docs/download page, instead it was combined with /docs/install which better organizes the various official and unofficial ways to get Caddy. (To be clear, our download page at /download is still available.) Also, we started using Cloudsmith for our Debian packaging -- they're donating this service to our open source project and their team has been a pleasure to work with.

This release is the work of at least 20 contributors. Thank you!

Changelog

c5197f5 acme_server: fix reload of acme database (#3874)
06ba006 acme_server: switch to bbolt storage (#3868)
7a3d9d8 basicauth: Minor internal improvements (#3861)
937ec34 caddyauth: Prevent user enumeration by timing
4cff36d caddyauth: Use buffered channel passed to signal.Notify (#3895)
3d0e046 caddyauth: Use structured log
c6dec30 caddyfile: Add support for env var defaults; add tests (#3682)
635f075 caddyfile: Fix minor bug in formatter
63bda6a caddyhttp: Clean up internal auto-HTTPS redirect code
b8a799d caddyhttp: Document that remote_ip reads X-Forwarded-For header
4fc5707 caddyhttp: Fix header matcher when using nil
966d5e6 caddyhttp: Merge header matchers in Caddyfile (#3832)
b4f49e2 caddyhttp: Merge query matchers in Caddyfile (#3839)
1438e4d caddyhttp: New idle_timeout default of 5m
9157051 caddyhttp: Optimize large host matchers
deedf8a caddyhttp: Optionally use forwarded IP for remote_ip matcher
349457c caddyhttp: Return error if error handling error
b0f8fc7 caddytls: Configure trusted CAs from PEM files (#3882)
e384f07 caddytls: Improve alt chain preference settings
95af426 caddytls: Support ACME alt cert chain preferences
13781e6 caddytls: Support multiple issuers (#3862)
e7a5a38 cmd: add ability to read config from stdin (#3898)
eda9a1b fastcgi: Add timeouts support to Caddyfile adapter (#3842)
6e9ac24 fastcgi: Set PATH_INFO to file matcher remainder as fallback (#3739)
7d7434c fileserver: Add debug logging
d8bcf5b fileserver: Fix "go up" links in browse listings (closes #3942)
8d038ca fileserver: Improve and clarify file hiding logic (#3844)
0a7721d fileserver: Preserve transformed root (fix #3838)
b6e96d6 go.mod: Update CertMagic
a748151 go.mod: Update CertMagic (fix #3911)
1e480b8 go.mod: update quic-go to v0.19.2 (#3880)
5643dc3 go.mod: update quic-go to v0.19.3 (#3901)
31fbcd7 go.mod: Upgrade some dependencies
a26f70a headers: Fix Caddyfile parsing with request matcher (#3892)
b0d5c2c headers: Support default header values in Caddyfile with '?' (#3807)
7c28ecb httpcaddyfile: Add certificate_pem placeholder short, add to godoc (#3846)
3cfefeb httpcaddyfile: Configure servers via global options (#3836)
7e71915 httpcaddyfile: Decrement counter when removing conn policy (fix #3906)
03d853e httpcaddyfile: Fix test on Windows
b6686a5 httpcaddyfile: Improve AP logic with OnDemand
63afffc httpcaddyfile: Proper log config with catch-all blocks (fix #3878)
db4f1c0 httpcaddyfile: Revise automation policy generation (#3824)
c898a37 httpcaddyfile: support matching headers that do not exist (#3909)
dd26875 logging: Fix for IP filtering
ebc278e metrics: allow disabling OpenMetrics negotiation (#3944)
670b723 requestbody: Add Caddyfile support (#3859)
99b8f44 reverse_proxy: Fix random_choose selection policy (#3811)
4a641f6 reverseproxy: Add Caddyfile scheme shorthand for h2c (#3629)
b660993 reverseproxy: Add max_idle_conns_per_host; fix godocs (#3829)
53aa60a reverseproxy: Handle "operation was canceled" errors (#3816)
6e0849d reverseproxy: Implement cookie hash selection policy (#3809)
9605853 reverseproxy: Logging for streaming and upgrades (#3689)
132525d reverseproxy: Minor lint fixes
860cc6a reverseproxy: Wire up some http transport options in Caddyfile (#3843)
c9fdff9 reverseproxy: caddyfile: Don't add port if upstream has placeholder (#3819)
6ea6f3e reverseproxy: fix random hangs on http/2 requests with server push (#3875)

v2.3.0-rc.1

12 Dec 21:02
v2.3.0-rc.1
deedf8a
Compare
Choose a tag to compare
v2.3.0-rc.1 Pre-release
Pre-release

This is the first release candidate. We think 2.3 is ready to go, but we want to be extra sure! Please try it out in low-risk deployments and report any problems. Thank you!

Docs will be updated over the coming days and weeks. See the additional release notes from the beta release if you're coming from 2.2.

⚠️ The remote_ip matcher no longer reads the X-Forwarded-For header by default. This was undocumented behavior, and an unsafe default. If you happened to be relying on this, please enable forwarded (in the Caddyfile, just put forwarded as the first argument before the ranges) to maintain that behavior. Remember that headers are very easy to spoof.

⚠️ The experimental_http3 global option in the Caddyfile has been replaced with global server options, one of which is the experimental_http3 protocol. Docs will be updated shortly. This is still an unstable feature until HTTP/3 is finalized and our upstream QUIC/H3 lib is stable and we've decided to keep HTTP/3 enabled in the core by default.

Changelog

4cff36d caddyauth: Use buffered channel passed to signal.Notify (#3895)
3d0e046 caddyauth: Use structured log
63bda6a caddyhttp: Clean up internal auto-HTTPS redirect code
b8a799d caddyhttp: Document that remote_ip reads X-Forwarded-For header
9157051 caddyhttp: Optimize large host matchers
deedf8a caddyhttp: Optionally use forwarded IP for remote_ip matcher
e7a5a38 cmd: add ability to read config from stdin (#3898)
6e9ac24 fastcgi: Set PATH_INFO to file matcher remainder as fallback (#3739)
a748151 go.mod: Update CertMagic (fix #3911)
31fbcd7 go.mod: Upgrade some dependencies
5643dc3 go.mod: update quic-go to v0.19.3 (#3901)
7e71915 httpcaddyfile: Decrement counter when removing conn policy (fix #3906)
c898a37 httpcaddyfile: support matching headers that do not exist (#3909)

v2.3.0-beta.1

30 Nov 20:14
v2.3.0-beta.1
a26f70a
Compare
Choose a tag to compare
v2.3.0-beta.1 Pre-release
Pre-release

Caddy 2.3 beta 1 is the first pre-release for Caddy 2.3! Please help test it in appropriate staging/test environments, and low-risk production environments. Major features and improvements include:

  • Multi-issuer support. Caddy can now get certificates from multiple issuers for redundancy; if one fails, another will be tried. Caddy's new defaults are Let's Encrypt and ZeroSSL. Caddy is the first web server to support multiple issuers, offering unrivaled reliability for your site's HTTPS. It is the first ACME client to support multiple CA fallbacks.

  • Improved on-demand TLS. On-demand TLS is where certificate obtain/renew operations are triggered on a TLS handshake that requires them. We've moved a lot of the processing to the background where possible (e.g. when an existing certificate is still usable) so more connections will finish their handshakes faster, and fewer handshakes will fail (however, you still need to watch the logs and fix the errors before it's too late).

  • Support for alternate certificate chains. You can now customize which certificate chains to download from ACME servers that offer more than one.

  • New map handler is ready for production use. It's been in Caddy for a few versions now but it's finally ready for production, with enhanced efficiency and functionality. It will be added to the documentation shortly. We have been using this handler with a customer in production for a while now, on an instance that is handling thousands of sites.

  • Customize servers and listeners with the Caddyfile. The Caddyfile structure is oriented around sites for convenience, so customizing servers has not been possible until now. You can now use global options to configure servers and their listeners (for example, protocol options, socket read options, and more) without having to use JSON config.

This release also contains numerous bug fixes and other enhancements. Please help test it and report any issues with as much detail and simplification as you can, thank you!

This release is the work of at least 16 contributors.

Changelog

c5197f5 acme_server: fix reload of acme database (#3874)
06ba006 acme_server: switch to bbolt storage (#3868)
7a3d9d8 basicauth: Minor internal improvements (#3861)
937ec34 caddyauth: Prevent user enumeration by timing
c6dec30 caddyfile: Add support for env var defaults; add tests (#3682)
4fc5707 caddyhttp: Fix header matcher when using nil
966d5e6 caddyhttp: Merge header matchers in Caddyfile (#3832)
b4f49e2 caddyhttp: Merge query matchers in Caddyfile (#3839)
1438e4d caddyhttp: New idle_timeout default of 5m
349457c caddyhttp: Return error if error handling error
b0f8fc7 caddytls: Configure trusted CAs from PEM files (#3882)
95af426 caddytls: Support ACME alt cert chain preferences
13781e6 caddytls: Support multiple issuers (#3862)
eda9a1b fastcgi: Add timeouts support to Caddyfile adapter (#3842)
7d7434c fileserver: Add debug logging
8d038ca fileserver: Improve and clarify file hiding logic (#3844)
0a7721d fileserver: Preserve transformed root (fix #3838)
b6e96d6 go.mod: Update CertMagic
1e480b8 go.mod: update quic-go to v0.19.2 (#3880)
a26f70a headers: Fix Caddyfile parsing with request matcher (#3892)
b0d5c2c headers: Support default header values in Caddyfile with '?' (#3807)
7c28ecb httpcaddyfile: Add certificate_pem placeholder short, add to godoc (#3846)
3cfefeb httpcaddyfile: Configure servers via global options (#3836)
03d853e httpcaddyfile: Fix test on Windows
b6686a5 httpcaddyfile: Improve AP logic with OnDemand
63afffc httpcaddyfile: Proper log config with catch-all blocks (fix #3878)
db4f1c0 httpcaddyfile: Revise automation policy generation (#3824)
dd26875 logging: Fix for IP filtering
670b723 requestbody: Add Caddyfile support (#3859)
99b8f44 reverse_proxy: Fix random_choose selection policy (#3811)
4a641f6 reverseproxy: Add Caddyfile scheme shorthand for h2c (#3629)
b660993 reverseproxy: Add max_idle_conns_per_host; fix godocs (#3829)
53aa60a reverseproxy: Handle "operation was canceled" errors (#3816)
6e0849d reverseproxy: Implement cookie hash selection policy (#3809)
9605853 reverseproxy: Logging for streaming and upgrades (#3689)
860cc6a reverseproxy: Wire up some http transport options in Caddyfile (#3843)
c9fdff9 reverseproxy: caddyfile: Don't add port if upstream has placeholder (#3819)
6ea6f3e reverseproxy: fix random hangs on http/2 requests with server push (#3875)

v2.2.1

13 Oct 17:44
385adf5
Compare
Choose a tag to compare

This patch release contains a number of bug fixes. Thanks for the reports and the help in debugging them!

Update: December 2020: This tag is the same as v2.2.3. Somehow, an unauthorized tag v2.2.2 was released from a fork. Because the Go module proxy is append-only, we created the v2.2.3 tag so that v2.2.1 would remain the default "latest" until v2.3.0 stable is released in a few weeks.

Changelog

8515267 admin: lower log level to Debug for /metrics requests (#3749)
a33e4b5 caddyfile: Add support for vars and vars_regexp matchers (#3730)
385adf5 caddyhttp: Restore original request params before error handlers (#3781)
0fc47e8 map: Apply default if mapped output is nil
ef8a372 map: Bug fixes; null literal with hyphen in Caddyfile
25d2b4b map: Reimplement; multiple outputs; optimize
dadfe19 metrics: fix handler to not run the next route (#3769)
3b9eae7 reverseproxy: Change 500 error to 502 for lookup_srv config (#3771)
c7efb03 reverseproxy: Fix dial placeholders, SRV, active health checks (#3780)
fdfdc03 reverseproxy: Ignore RFC 1521 params in Content-Type header (#3758)
6722426 reverseproxy: allow no port for SRV; fix regression in d55d50b (#3756)
aa9c3eb reverseproxy: default to port 80 for upstreams in Caddyfile (#3772)

v2.2.0

24 Sep 18:00
v2.2.0
f197cec
Compare
Choose a tag to compare

We are pleased to release Caddy 2.2! Our community has spent a lot of time on bug fixes, as well as some new features you will like.

Highlights:

  • Full support for ZeroSSL, a new ACME CA that is a viable alternative to Let's Encrypt. Its ACME endpoint is free to use and might even be a better fit for your deployment depending on your requirements (for example, it does not have tight rate limits and does not require the DNS challenge for wildcard certs). To clarify, ZeroSSL's ACME endpoint is RFC 8555-compliant and was already compatible with Caddy; we just made it easier to use by automating the EAB credentials for your convenience.
  • We now have full control over our ACME stack! By replacing our previous underlying ACME library (lego) with ACMEz, Caddy can offer:
    • faster config reloads
    • more efficient cert management at scale
    • a more intuitive configuration experience
    • lighter builds
    • structured logs that are consistent with Caddy's other logs (which you have fine-grained control over).
    • (we no longer suffer from the limitations still shared by other lego-based ACME clients)
  • Integrated support for Prometheus metrics. We decided that emitting metrics is something the core of the server has to do, rather than only a separate module. We will continue improving this with time. Huge thanks to @hairyhenderson for his skillful contributions.
  • HTTP/2 server push has been re-introduced, this time better than it was in Caddy 1.
  • Caddyfile enhancements, including:
    • Fully customize certificate issuers from the Caddyfile. Up until now, you could only customize certain parts of the ACME issuer or choose the Internal issuer from the Caddyfile; now you have full control.
    • Named matchers can be defined inside route blocks.
    • Customize log encoders.
    • dns property for issuer subdirective of tls directive that allows full customization of DNS challenge (those providers which support the Caddyfile)
    • Bug fixes
  • ⚠️ The logfmt log encoder has been deprecated and will be removed. (It is already broken since it does not encode objects, so if you used it you probably stopped using it anyway.)
  • Customizable DNS resolver for reverse proxy
  • Latest HTTP/3 version
  • Numerous bug fixes and other enhancements! Notable bug fixes related to:
    • ACME DNS challenge providers
    • Custom resolvers for the DNS challenge
    • ACME EAB (External Account Binding)
    • Panic recovery
    • Startup time when managing lots of certificates
    • Correct port for active health checks (reverse_proxy module)
    • Windows paths
    • File hiding logic (file_server module)
    • Bidirectional streaming (reverse_proxy module; specifically benefits v2ray use)
    • More consistent, structured error logging when produced from HTTP code in Go's standard library
    • New placeholders and log fields, especially pertaining to TLS, ACME, and HTTP

Special thanks to @francislavoie and @mohammed90 and @hairyhenderson and others in our community for their continual aid with many bug reports and feature requests.

Changelog

(Includes pre-releases)

af5c148 admin,templates,core: Minor enhancements and error handling (#3607)
d4f2497 browse: align template to struct field renames from 4940325 (#3706)
8a0fff5 caddyauth: hash-password: Set bcrypt cost to 14 (#3580)
fb9d874 caddyfile: Export Tokenize function for lexing (#3549)
6f0f159 caddyhttp: Add {http.request.body} placeholder
514eef3 caddyhttp: Add support to resolve DN in CEL expression (#3608)
65a0952 caddyhttp: Add TLS client cert info to logs (#3640)
b01bb27 caddyhttp: New placeholder for PEM of client certificate (#3662)
c82c231 caddyhttp: Remove server name from metrics
0bf2565 caddyhttp: Reorder some access log fields; add host matcher test case
04f50a9 caddyhttp: Wrap http.Server logging with zap (#3668)
00e6b77 caddytls: Add dns config to acmeissuer (#3701)
66863aa caddytls: Add support for ZeroSSL; add Caddyfile support for issuers (#3633)
744d04c caddytls: Configure custom DNS resolvers for DNS challenge (close #2476)
24f3478 caddytls: Customize DNS resolvers for DNS challenge with Caddyfile
9859ab8 caddytls: Fix resolvers option of acme issuer (Caddyfile)
efc0cc5 caddytls: Move initial storage clean op into goroutine
6a14e2c caddytls: Replace lego with acmez (#3621)
b88e2b6 cmd: Allow caddy fmt to read from stdin (#3680)
68529e2 cmd: Print caddy version with environ or --environ (#3627)
2ae8c11 fastcgi: Add resolve_root_symlink (#3587)
0665a86 fastcgi: Ensure leading slash, omit SERVER_PORT if empty for compliance (#3570)
3fdaf50 fastcgi: Fill REMOTE_USER with http.auth.user.id placeholder (#3577)
3860b23 fileserver: Don't assume len(str) == len(ToLower(str)) (fix #3623)
735c866 fileserver: Enable browse pagination with offset parameter (#3542)
4940325 fileserver: Fix inconsistencies in browse JSON
1c5969b fileserver: Fix new file hide tests on Windows (#3719)
c054a81 fileserver: Fix newly-introduced failing test on Linux (#3625)
b95b873 fileserver: Fix try_files for directories; windows fix (#3684)
0ee4378 fileserver: Improve file hiding logic for directories and prefixes
c42bfaf go.mod: Bump CertMagic
28d870c go.mod: Update quic-go, truststore, and goldmark
c6d6a77 go.mod: Update some dependencies
2a5599e go.mod: Upgrade and downgrade smallstep, quic-go, and cpuid
3ee663d go.mod: Upgrade dependencies
997ef52 go.mod: Use v0.15(.1) of smallstep libs
6f73a35 httpcaddyfile: Add compression to http transport config (#3624)
584eba9 httpcaddyfile: Allow named matchers in route blocks (#3632)
ff19bdd httpcaddyfile: Avoid repeated subjects in APs (fix #3618)
8b80a32 httpcaddyfile: Bring enforce_origin and origins to admin config (#3595)
fe27f9c httpcaddyfile: Disallow args on route/handle directive family (#3740)
e3324aa httpcaddyfile: Ensure handle_path is sorted equally to handle (#3676)
be6daa5 httpcaddyfile: Fix panic when parsing route with matchers (#3746)
0afbab8 httpcaddyfile: Improve directive sorting logic (#3658)
4217217 httpcaddyfile: Properly record whether we added catch-all conn policy
7bfe5b6 httpcaddyfile: Reorder automation policy logic (close #3550)
eda54c2 logging: ⚠️ Deprecate logfmt encoder
309c1fe logging: Implement Caddyfile support for filter encoder (#3578)
f197cec metrics: Always track method label in uppercase (#3742)
d16ede3 metrics: Fix hidden panic while observing with bad exemplars (#3733)
b1d456d metrics: Fix panic when headers aren't written (#3737)
8ec51bb metrics: Initial integration of Prometheus metrics (#3709)
6cea1f2 push: Implement HTTP/2 server push (#3573)
904f149 reverse_proxy: fix bidirectional streams with encodings (fix #3606) (#3620)
e9b1d7d reverse_proxy: flush HTTP/2 response when ContentLength is unknown (#3561)
724b74d reverseproxy: Abort active health checks on context cancellation
4cd7ae3 reverseproxy: Add buffer_requests option to reverse_proxy directive (#3710)
bd9d796 reverseproxy: add support for custom DNS resolver (#3479)
bc453fa reverseproxy: Correct alternate port for active health checks (#3693)
d55d50b reverseproxy: Enforce port range size of 1 at provision (#3695)
19cc2bd reverseproxy: Fix Caddyfile parsing for empty non-http transports (#3576)
c94f5bb reverseproxy: Make default buffer size const
e2f913b reverseproxy: Minor fixes and cleanup
246a31a reverseproxy: Restore request's original host and header (fix #3509)
fc65320 reverseproxy: Support header selection policy on Host field (#3653)
c358200 templates: Disable hard wraps in Markdown rendering (#3553)
a2dae1d templates: Fix front matter closing fence search
2bc30bb templates: Implement placeholders function (#3324)

v2.2.0-rc.3

18 Sep 04:33
v2.2.0-rc.3
d16ede3
Compare
Choose a tag to compare
v2.2.0-rc.3 Pre-release
Pre-release

Use this one instead. :)

Changelog

c82c231 caddyhttp: Remove server name from metrics
d16ede3 metrics: Fix hidden panic while observing with bad exemplars (#3733)

v2.2.0-rc.2

17 Sep 19:03
v2.2.0-rc.2
3ee663d
Compare
Choose a tag to compare
v2.2.0-rc.2 Pre-release
Pre-release

Edit: Don't use rc2, use rc3 instead. (Released just a few hours later as a hotfix.)

The next release candidate for v2.2.0 - please try it out before the final tag! As always, deploy into a test or staging environment before production.

There are a lot of commits in this release because the milestone moved while we fixed problems that were reported, and we also wanted to make sure the final v2.2 release will be good and solid. Most of these commits are bug fixes, but we've also added Caddyfile support for several features, and notably: integrated Prometheus metrics. (Thanks @hairyhenderson and other contributors! That was a team effort.)

As you might expect, this release builds on all changes in RC1.

The documentation on our website will be updated after the final release is tagged.

Changelog

d4f2497 browse: align template to struct field renames from 4940325 (#3706)
b01bb27 caddyhttp: New placeholder for PEM of client certificate (#3662)
04f50a9 caddyhttp: Wrap http.Server logging with zap (#3668)
00e6b77 caddytls: Add dns config to acmeissuer (#3701)
744d04c caddytls: Configure custom DNS resolvers for DNS challenge (close #2476)
24f3478 caddytls: Customize DNS resolvers for DNS challenge with Caddyfile
9859ab8 caddytls: Fix resolvers option of acme issuer (Caddyfile)
b88e2b6 cmd: Allow caddy fmt to read from stdin (#3680)
4940325 fileserver: Fix inconsistencies in browse JSON
1c5969b fileserver: Fix new file hide tests on Windows (#3719)
b95b873 fileserver: Fix try_files for directories; windows fix (#3684)
0ee4378 fileserver: Improve file hiding logic for directories and prefixes
3ee663d go.mod: Upgrade dependencies
997ef52 go.mod: Use v0.15(.1) of smallstep libs
e3324aa httpcaddyfile: Ensure handle_path is sorted equally to handle (#3676)
0afbab8 httpcaddyfile: Improve directive sorting logic (#3658)
4217217 httpcaddyfile: Properly record whether we added catch-all conn policy
309c1fe logging: Implement Caddyfile support for filter encoder (#3578)
8ec51bb metrics: Initial integration of Prometheus metrics (#3709)
724b74d reverseproxy: Abort active health checks on context cancellation
4cd7ae3 reverseproxy: Add buffer_requests option to reverse_proxy directive (#3710)
bc453fa reverseproxy: Correct alternate port for active health checks (#3693)
d55d50b reverseproxy: Enforce port range size of 1 at provision (#3695)
c94f5bb reverseproxy: Make default buffer size const
fc65320 reverseproxy: Support header selection policy on Host field (#3653)

v2.2.0-rc.1

11 Aug 16:32
v2.2.0-rc.1
66863aa
Compare
Choose a tag to compare
v2.2.0-rc.1 Pre-release
Pre-release

The release candidate for v2.2.0 - please try it out before the final release! As always, deploy into a test or staging environment before production.

Highlights:

  • Replaced the old underlying ACME library (lego) with ACMEz - we now have full control over the entire certificate management stack! Config reloads will be faster and certificate management at scale will be smoother. The logs for cert operations is now consistent with Caddy's structured logs.
  • Full support for a new ACME CA! ZeroSSL is an alternative CA to Let's Encrypt. Its ACME endpoint is free to use! To clarify, ZeroSSL's ACME endpoint is RFC 8555-compliant and was already compatible with Caddy; we just made it easier to use by automating the EAB credentials for your convenience. (Known issue: Must use RSA certificate keys for now. This is queued to be fixed by upstream service provider.)
  • Fully customize certificate issuers from the Caddyfile. Up until now, you could only customize certain parts of the ACME issuer or choose the Internal issuer from the Caddyfile; now you have full control.
  • Re-introduced HTTP/2 server push similar to how it was available in Caddy v1, but now a little better.
  • ⚠️ The logfmt log encoder has been deprecated and will be removed. (It is already broken since it does not encode objects.)
  • Customizable DNS resolver for reverse proxy.
  • Numerous bug fixes and other enhancements!

Changelog

af5c148 admin,templates,core: Minor enhancements and error handling (#3607)
8a0fff5 caddyauth: hash-password: Set bcrypt cost to 14 (#3580)
fb9d874 caddyfile: Export Tokenize function for lexing (#3549)
65a0952 caddyhttp: Add TLS client cert info to logs (#3640)
514eef3 caddyhttp: Add support to resolve DN in CEL expression (#3608)
6f0f159 caddyhttp: Add {http.request.body} placeholder
0bf2565 caddyhttp: Reorder some access log fields; add host matcher test case
66863aa caddytls: Add support for ZeroSSL; add Caddyfile support for issuers (#3633)
efc0cc5 caddytls: Move initial storage clean op into goroutine
6a14e2c caddytls: Replace lego with acmez (#3621)
68529e2 cmd: Print caddy version with environ or --environ (#3627)
2ae8c11 fastcgi: Add resolve_root_symlink (#3587)
0665a86 fastcgi: Ensure leading slash, omit SERVER_PORT if empty for compliance (#3570)
3fdaf50 fastcgi: Fill REMOTE_USER with http.auth.user.id placeholder (#3577)
3860b23 fileserver: Don't assume len(str) == len(ToLower(str)) (fix #3623)
735c866 fileserver: Enable browse pagination with offset parameter (#3542)
c054a81 fileserver: Fix newly-introduced failing test on Linux (#3625)
c42bfaf go.mod: Bump CertMagic
28d870c go.mod: Update quic-go, truststore, and goldmark
c6d6a77 go.mod: Update some dependencies
2a5599e go.mod: Upgrade and downgrade smallstep, quic-go, and cpuid
6f73a35 httpcaddyfile: Add compression to http transport config (#3624)
584eba9 httpcaddyfile: Allow named matchers in route blocks (#3632)
ff19bdd httpcaddyfile: Avoid repeated subjects in APs (fix #3618)
8b80a32 httpcaddyfile: Bring enforce_origin and origins to admin config (#3595)
7bfe5b6 httpcaddyfile: Reorder automation policy logic (close #3550)
eda54c2 logging: ⚠️ Deprecate logfmt encoder
6cea1f2 push: Implement HTTP/2 server push (#3573)
904f149 reverse_proxy: fix bidirectional streams with encodings (fix #3606) (#3620)
e9b1d7d reverse_proxy: flush HTTP/2 response when ContentLength is unknown (#3561)
19cc2bd reverseproxy: Fix Caddyfile parsing for empty non-http transports (#3576)
e2f913b reverseproxy: Minor fixes and cleanup
246a31a reverseproxy: Restore request's original host and header (fix #3509)
bd9d796 reverseproxy: add support for custom DNS resolver (#3479)
c358200 templates: Disable hard wraps in Markdown rendering (#3553)
a2dae1d templates: Fix front matter closing fence search
2bc30bb templates: Implement placeholders function (#3324)

v2.1.1

30 Jun 19:22
v2.1.1
d7dbf85
Compare
Choose a tag to compare

Version 2.1.1 fixes a minor regression in v2.1 related to the CEL (expression) matcher, as well as eliminating the warning about pb.proto. Both regressions were unfortunately introduced by patch updates on dependencies. This version also adds support for placeholders in the query matcher, and a WIP/experimental map handler that will be finalized before 2.2.

Changelog

6004d3f caddyhttp: Add 'map' handler (#3199)
77f233a caddyhttp: Corrected host label index check (fix #3502)
ddd690d caddyhttp: Support placeholders in query matcher (#3521)
d7dbf85 cel: fix validation of expression result type (#3526)

v2.1.0

26 Jun 19:10
v2.1.0
c9049bd
Compare
Choose a tag to compare

Caddy 2.1 introduces a variety of new features, bug fixes, and other enhancements! Highlights:

  • Fully automated mTLS certificates. Caddy 2.1 can fully manage all its TLS certificates -- including TLS client certificates -- using any ACME endpoint you configure. New in this version, the reverse proxy module can be configured to present an automated client certificate, just by providing its subject name in the config. We've tested it with Caddy's built-in ACME server, Let's Encrypt, Sectigo, and Smallstep ACME endpoints. Using this feature, Caddy will keep the client certificate renewed automatically.

  • Embedded ACME server (powered by Smallstep). This allows other ACME clients to use Caddy as an ACME endpoint. The idea here is to replace one-off self-signed, generated certificates with proper, short-lived, auto-renewing certificates for local development and internal deployments. In other words, if you're running a command every so often to produce a self-signed certificate, use Caddy instead for proper, fully-managed internal PKI. Simply add the acme_server directive to your Caddyfile for its default configuration, or use its JSON interface.

  • H2C support. Although discouraged in the general case, HTTP/2 over Cleartext HTTP (h2c) can be useful when serving or proxying gRPC locally/internally on trusted networks; and due to current poor TLS support in gRPC services currently, h2c might even be required in some cases. Caddy can now serve HTTP/2 without encryption, and it can communicate as a client with an HTTP/2 server that does not support TLS. To proxy h2c, set the versions property to include "h2c". To serve h2c, enable allow_h2c in your HTTP server config.

  • New handle_path Caddyfile directive. This works the exact same as handle, but it only accepts a path prefix matcher and it strips the matched portion of the path before executing the directives contained in its block. It's a shortcut for using handle and uri strip_prefix together, which was a common-enough use case that we consolidated it into a new directive.

  • Auto HTTPS can be configured in the Caddyfile. You can use the auto_https global option to disable it entirely, or disable only HTTP->HTTPS redirects. This is useful if you don't want to bind to any HTTP port at all.

  • Various other Caddyfile improvements. Several quality-of-life improvements for the Caddyfile, including one-line named matchers such as @foo not path /foobar/*, and the ability to use backticks (`) to enclose strings where double quotes (") are inconvenient.

  • Reverse proxy response interception. The reverse proxy can now intercept and handle the response from upstream based on the response status code and/or headers. This allows you to invoke custom, arbitrary HTTP logic based on the response from a backend.

  • Many bug fixes and other enhancements. We always say this, I know, but just look at that changelog.

Thank you to all who contributed and filed actionable bug reports as well as patches! Please keep it up. :)

Changelog

1dc4ec2 admin: Disallow websockets
aef560c all: Recover from panics in goroutines
41a682d caddyauth: Add realm to basicauth Caddyfile directive (#3315)
9a7756c caddyauth: Cache basicauth results (fixes #3462) (#3465)
96d6d27 caddyconfig: Don't start comments in middle of tokens (#3267)
6c051cd caddyconfig: Minor internal and godoc tweaks
fdf2a77 caddyfile: Add args on imports (#3423)
d55c3b3 caddyhttp: Add client cert SAN placeholders
ffc125d caddyfile: Move NewTestDispenser into non-test file (#3439)
5230561 caddyfile: Support backticks as quotes (closes #2591) (#3242)
294910c caddyhttp: Add client.public_key(_sha256) placeholders
0cbf467 caddyhttp: Add time.now placeholder and update cel-go (closes #2594)
2d1f7b9 caddyhttp: Auto-redirects from all bind addresses (fix #3443)
21c00a3 caddyhttp: Better host matching for logger names (fix #3488) (#3522)
7b0962b caddyhttp: Default to error status if found in context
3af15c0 caddyhttp: Empty, not nil, query matcher matches empty query string
6db3615 caddyhttp: Enable matching empty query string
4c55d26 caddyhttp: Fix merging of Caddyfile matchers in not blocks (#3379)
d534162 caddyhttp: Match hostnames with wildcards to loggers (#3378)
7960b42 caddyhttp: Minor refactoring for preparing requests
e5bbed1 caddyhttp: Refactor header matching
a285fe4 caddypki: Add 'acme_server' Caddyfile directive
bde3823 caddytest: Refactor Caddyfile adapt tests to separate files (#3398)
e18c373 caddytls: Actually use configured test CA
11a132d caddytls: Configurable cache size limit
6d03fb4 caddytls: Don't decode HMAC
62c9f2c cmd: Add --envfile flag to run command (#3278)
4df56c7 cmd: Add pidfile support (closes #3235)
83551ed cmd: Only stop admin server on signal if it exists (fix #3470)
996af09 cmd: Support admin endpoint on unix socket (#3320)
aa20878 cmd: file-server: add --access-log flag (#3454)
bb67e19 cmd: hash-password: Fix broken terminal state on SIGINT (#3416)
5bde8d7 cmd: hash-password: Support reading from stdin (#3373)
44536a7 cmd: reverse-proxy: add --insecure flag (with warning) (#3389)
ef6e53b core: Add support for d duration unit (#3323)
28ab0bf core: Support loading modules from [][]json.RawMessage fields
b1480eb fastcgi: Fix php_fastcgi matcher regression (#3512)
fa4cdde fastcgi: Make sure splitPos handles empty SplitPath correctly (#3491)
7243454 fastcgi: php_fastcgi subdirectives to override shortcut behaviour (#3255)
1e8c976 file_server: Accept files args in one-liner of Caddyfile matcher (#3298)
c9049bd go.mod: Minor dependency updates
9dafa63 go.mod: Update dependencies
3fb2c39 go.mod: Update dependencies
d5d7fb5 go.mod: Update dependencies
cb0d983 go.mod: Update quic-go to 0.17.1 (draft 29) and certmagic 0.11.2 (eab)
fae0642 httpcaddyfile: Add auto_https global option (#3284)
1dfb114 httpcaddyfile: Add client_auth options to tls directive (#3335)
21de227 httpcaddyfile: Be stricter about log syntax (#3419)
32cafbb httpcaddyfile: Fix ordering of catch-all site blocks
cd9317e httpcaddyfile: Fix route ordering bug
cc8fb48 httpcaddyfile: Improve error on matcher declared outside site block (#3431)
a496308 httpcaddyfile: Let modules add listener wrappers (#3397)
dc9f4f1 httpcaddyfile: Make global options pluggable (#3265)
d84a5d8 httpcaddyfile: New acme_eab option (#3492)
8c5d00b httpcaddyfile: New handle_path directive (#3281)
2f59467 httpcaddyfile: Only append TLS conn policy if it's non-empty (#3319)
ea7e4b4 httpcaddyfile: Shorthands for parameterized placeholders (#3305)
97e61c1 httpcaddyfile: Sort site blocks with wildcards last (fix #3410)
26e5596 httpcaddyfile: Support single-line matchers (#3263)
41c7bd2 httpserver: Add experimental H2C support (#3289)
bf8c3c2 log: improve rounding logic for log rolling directives (#3367)
9415fec logging: Net writer redials if write fails (#3453)
c47ddbe pki: Add docs to some struct fields
184e8e9 pki: Embedded ACME server (#3198)
4b10ae5 reverseproxy: Add Caddyfile support for ClientCertificateAutomate
afecd90 reverseproxy: Add tls_server_name option to Caddyfile (#3322)
1c17e6c reverseproxy: Allow using TLS for port 80 upstreams (see #3361)
90c7b4b reverseproxy: Apply response header ops before copying it (fix #3382) (#3401)
b3bff13 reverseproxy: Close websocket conn if req context cancels
2a8a198 reverseproxy: Don't overwrite existing X-Forwarded-Proto header
812278a reverseproxy: Emit debug log before checking error (#3425)
7a99835 reverseproxy: Enable changing only the status code (close #2920)
538ddb8 reverseproxy: Enable response interception (#1447, #2920)
22055c5 reverseproxy: Fix https active health checks #3450 (#3451)
c1e5c09 reverseproxy: Improve error message when using scheme+placeholder (#3393)
9ee01dc reverseproxy: Make debug log safe if error occurs
881b826 reverseproxy: Pool copy buffers (minor optimization)
003403e templates: Add support for dots to close yaml frontmatter (#3498)
483e31b templates: trim windows whitespace in SplitFrontMatter; fix #3386 (#3387)
b814c0a tls/client auth: verify first certificates in client request (#3344)