This release contains a hotfix for a regression in v2.6.3 related to proxying chunked requests. We recommend that all users who do so upgrade to v2.6.4.

Note that, in an effort to make error-prone configs less likely, we have deprecated the reverse proxy options:

buffer_requests
buffer_responses
max_buffer_size

and have introduced 2 new ones which take a size argument to enable buffering:

request_buffers <size>
response_buffers <size>

The deprecated options will be removed in a later version of Caddy, so please start using the new parameters instead.

Changelog

0db29e2 go.mod: Upgrade acmez and x/net
4b119a4 reverseproxy: Don't buffer chunked requests (fix #5366) (#5367)

Assets 134

08 Feb 19:51

github-actions

v2.6.3

90798f3

v2.6.3

This release brings a number of bug fixes and minor features. We recommend that all users check the release notes/commits, then test and upgrade.

Notable changes:

New trusted_proxies global option (within servers) can be used to specify trusted proxy IP ranges globally. This is important if relying on headers for client IP addresses.
Unix sockets on Windows now supported as proxy upstreams.
Proxied WebSocket connections are now logged with correct status code and "size" (bytes read + bytes written).
The quic-go package has received significant optimizations, so HTTP/3 should be more efficient now.

Thank you to everyone who contributed to this release!

Changelog

bfaf2a8 acme_server: Configurable default lifetime for issued certificates (#5232)
ac83b7e admin: Add CADDY_ADMIN env var to override the default (#5332)
ac96455 admin: fix certificate renewal for admin (#5169)
762b027 admin: set certmagic cache logger (#5173)
329af5c build(deps): bump actions/cache from 2 to 3 (#5263)
3b724a2 build(deps): bump actions/upload-artifact from 1 to 3 (#5262)
af93517 build(deps): bump goreleaser/goreleaser-action from 2 to 4 (#5264)
cd49847 build(deps): bump peter-evans/repository-dispatch from 1 to 2 (#5261)
8d3a1b8 caddyauth: Use singleflight for basic auth (#5344)
bbe3663 caddyconfig: Fix httploader leak from unused responses (#5159)
7f2a93e caddyfile: Allow overriding server names (#5323)
223cbe3 caddyhttp: Add server-level trusted_proxies config (#5103)
087f126 caddyhttp: Canonicalize header field names (#5176)
12bcbe2 caddyhttp: Pluggable trusted proxy IP range sources (#5328)
ed50311 caddyhttp: add placeholder {http.request.orig_uri.path.*} (#5161)
33fdea8 caddypki: Prefer user-configured root instead of generating new one (#5189)
6f8fe01 caddypki: Use go.step.sm/crypto to generate the PKI (#5217)
1fa4cb7 caddytest: Increased sleep between retries to reduce flakey tests in CI (#5160)
fef9cb3 caddytest: internalize init config into '.go' file (#5230)
55035d3 caddytls: Add dns_ttl config, improve Caddyfile tls options (#5287)
66ce0c5 caddytls: Add test cases for Caddyfile tls options (#5293)
0a3efd1 caddytls: Debug log for ask endpoint
94b8d56 cmd: Add --envfile flag to validate command (#5350)
a999b70 cmd: Add missing \n to HelpTemplate (#5151)
c3b5b18 cmd: Avoid panic when printing version without build info (#5210)
5805b3c cmd: caddy fmt return code is 1 if not formatted (#5297)
8c0b49b cmd: fmt exit successfully after overwriting config file (#5351)
f20a8e7 cmd: replace deprecate func use (#5170)
536c28d core: Support Windows absolute paths for UDS proxy upstreams (#5114)
dac7cac encode: Respect Cache-Control no-transform (#5257)
4e9ad50 fileserver: Add a couple test cases
4bf6cb4 fileserver: Reject ADS and short name paths; trim trailing dots and spaces on Windows (#5148)
a3ae146 fileserver: Reject non-GET/HEAD requests (close #5166) (#5167)
e8ad9b3 go.mod: Update golang.org/x/net to v0.5.0 (#5314)
fac35db go.mod: Update quic-go to v0.31.0
798c4a3 go.mod: Upgrade some dependencies
90798f3 go.mod: Upgrade various dependencies (#5362)
98867ac go.mod: bump tscert package to fix Tailscale 1.34+ on Windows (#5331)
d73660f httpcaddyfile: Add persist_config global option (#5339)
c38a040 httpcaddyfile: Fix handle grouping inside route (#5315)
d6d7511 httpcaddyfile: Warn on importing empty file; skip dotfiles (#5320)
817470d httploader: Close resp body on bad status code
72e7edd map: Clarified how destination values should be formatted (#5156)
e9d95ab reverseproxy: Add flag to short command to disable redirects (#5330)
e450a73 reverseproxy: Don't enable auto-https when --from flag is http (#5269)
845bc4d reverseproxy: Fix hanging for Transfer-Encoding: chunked (#5289)
d4a7d89 reverseproxy: Improve hostByHashing distribution (#5229)
c77a6be reverseproxy: Log status code and byte count for websockets (#5140)
ee7c92e reverseproxy: Mask the WS close message when we're the client (#5199)
d74f6fd reverseproxy: Set origreq in active health check (#5284)
9623102 tracing: Support placeholders in span name (#5329)

Assets 134

13 Oct 18:44

github-actions

v2.6.2

6bad878

v2.6.2

This release brings a number of bug fixes and minor enhancements. All users should upgrade after testing and verifying their setups. Thank you to all who contributed!

If you are coming from < 2.6, please see the 2.6 release notes because a lot is new!

Changelog

037dc23 admin: Use replacer on listen addresses (#5071)
498f32b caddyconfig: Implement retries into HTTPLoader (#5077)
9873ff9 caddyhttp: Remote IP prefix placeholders
61822f1 caddyhttp: replace placeholders in map defaults (#5081)
e07a267 caddytest: Revise sleep durations
253d97c core: Chdir to executable location on Windows (#5115)
ab720fb core: Fix ListenQUIC listener key conflict
e3e8aab core: Refactor and improve listener logic (#5089)
e4fac12 core: Set version manually via CustomVersion (#5072)
f7c1a51 fastcgi: Redirect using original URI path (fix #5073)
2be56c5 fileserver: Treat invalid file path as NotFound (#5099)
b1d04f5 fileserver: better dark mode visited link contrast (#5105)
33f60da fileserver: stop listing dir when request context is cancelled (#5131)
2153a81 forwardauth: Canonicalize header fields (fix #5038) (#5097)
fe91de6 go.mod: Upgrade select dependencies
7041970 headers: Support repeated WriteHeader if 1xx (fix #5074)
d46ba2e httpcaddyfile: Fix metrics global option parsing (#5126)
6bad878 httpcaddyfile: Improve detection of indistinguishable TLS automation policies (#5120)
2808de1 httpcaddyfile: Skip automate when auto_https off is specified (#5110)
3e1fd2a httpcaddyfile: Wrap site block in subroute if host matcher used (#5130)
9e1d964 logging: Add time_local option to use local time instead of UTC (#5108)
01e192e logging: Better console encoder defaults (#5109)
99ffe93 logging: Fix skip_hosts with wildcards (#5102)
ea58d51 logging: Perform filtering on arrays of strings (where possible) (#5101)
5e52bbb map: Remove infinite recursion check (#5094)
b4e28af replacer: working directory global placeholder (#5127)
e2991eb reverseproxy: On 103 don't delete own headers (#5091)
2a8c458 reverseproxy: Parse humanized byte size (fix #5095)
d055692 reverseproxy: fix upstream scheme handling in command (#5088)
013b510 rewrite: Only trim prefix if matched

New Contributors

@lemmi made their first contribution in #5088
@willnorris made their first contribution in #5081
@yroc92 made their first contribution in #5071
@iliana made their first contribution in #5105
@TobiX made their first contribution in #5106
@likev made their first contribution in #5099
@cherouvim made their first contribution in #5121

Full Changelog: v2.6.1...v2.6.2

Contributors

willnorris, iliana, and 5 other contributors

Assets 134

21 Sep 22:21

github-actions

v2.6.1

9206e8a

v2.6.1

Hotfix for unix sockets, the encode handler, and the caddy file-server command. Please see the release notes for v2.6.0 for other important information if you're coming from < 2.6!

Changelog

1426c97 core: Reuse unix sockets (UDS) and don't try to serve HTTP/3 over UDS (#5063)
44ad0ce encode: don't WriteHeader unless called (#5060)
beb7dcb fileserver: Reinstate --debug flag

Assets 134

20 Sep 18:12

github-actions

v2.6.0

821a08a

v2.6.0

Caddy 2.6

This is our biggest release since Caddy 2.

Caddy 2 changed the way the world serves the Web. By providing an online config API, automatic HTTPS, unlimited extensibility, certificate automation at scale, modern protocols, sane defaults, and an unrivaled developer experience, we boldly raised the bar for web servers.

Now with Caddy 2.6, we're doing it again. Caddy 2.6 is the first general-purpose web server to seamlessly enable the newly-standardized HTTP/3 protocol for all configurations by default. We've virtualized the file system so you can serve content from anywhere or anything. New event features let you observe and control Caddy's internals with custom actions. Caddy is more useful than ever for developers with its enhanced CLI tooling and features. And it's faster than ever with non-trivial performance improvements. We think you will love this release.

UPDATE: Please use v2.6.1 for hotfixes related to unix sockets, encode, and caddy file-server.

Watch the livestream

Special dedication

This release is dedicated to the late Peter Eckersley, who passed away September 2, 2022. Peter is one of the brilliant minds behind Let's Encrypt; his work has benefited billions of people. I met Peter at the Let's Encrypt launch party in a little bar in San Francisco in 2015 and have never forgotten that occasion. He later co-authored a published research paper called Let’s Encrypt: An Automated Certificate Authority to Encrypt the Entire Web, which highly espoused Caddy's ACME integration: "We hope to see other popular server software follow Caddy’s lead."

We look forward to when other servers do that, and we hope to honor Peter's work and influence which will live on through his memory and the encrypted Web he made possible.

Highlights

⚠️ Don't miss deprecations / breaking changes at the bottom. Notably, if you use metrics, you will now need to turn them on.

HTTP/3 is here (#4707)

Caddy now enables RFC 9114-compliant HTTP/3 by default. The experimental_http3 option has graduated and been removed. We've removed another experimental option, allow_h2c, and individual HTTP versions (h1 h2 h2c h3) can now be toggled with the new protocols setting.

Note that HTTP/3 utilizes the QUIC transport, which requires UDP. If your network or firewall configuration only allows TCP, HTTP/3 connections will fail and clients (should) fall back to HTTP/2. For servers with properly-configured UDP networks, HTTP/3 should "just work" for enabled clients.

HTTP/3 clients can connect by reading Caddy's Alt-Svc header to know how to connect to Caddy via UDP. This header is now emitted automatically and by default. Other than that, there are no other changes needed to existing servers, as Caddy opens a separate UDP socket for HTTP/3.

Our HTTP/3 server attempts to mitigate amplification and reflection attacks by requiring address validation when the server is under load. This adds one round-trip for clients, but is only done as a defensive measure when necessary.

Serious thanks to @marten-seemann who builds and maintains the quic-go library we depend on for this. (Go has not announced any plans to officially support or implement HTTP/3.) We expect numerous QUIC and HTTP/3 improvements to come as implementations and best practices mature with more production experience.

Virtual file systems (#4909)

Caddy's file_server module now supports virtual file systems. We've replaced all hard-coded os.Open(), os.Stat(), etc. calls with Go's relatively new io/fs package, and introduced a new Caddy module namespace caddy.fs for implementations of such file systems.

Some examples of what is possible:

Serve content from S3 or other blob/cloud storage services
Serve dynamically-generated content that "feels" static
Embed your site directly into your caddy binary and serve it from memory
Serve content directly from an archive file (e.g. .zip or .tar.gz)
Load files from a database instead of disk

Basically, instead of serving files from the local disk, you can have Caddy serve the "files" from somewhere or something else. The default is still the local file system.

Note that this feature isn't limited to just Caddy's file_server module. Potentially any module that reads the local disk may benefit from using caddy.fs modules instead.

I wrote a module that lets you embed your site within your caddy binary -- wherever your server goes, your site goes!

We encourage the community to implement and publish new file system modules for Caddy. (From an early tweet there seems to be quite high demand.)

Events (#4912 and #4984)

Not surprisingly, many people prefer Caddy to automate certificates used with other software/services. Until now, there hasn't been a great way to know when Caddy has obtained or renewed a certificate (deferred in part by our opinion that certificate management should be baked into the software using the certificate in the first place). Cron jobs generally work for reloading new certificates into services because certificate expiry is mostly predictable, but now there is a better way with one of our most requested features: events!

We thought about events in general for a long time and discussed questions like, "What makes an event different from a log?" "Are events synchronous?" "Do self-initiated events get emitted before or after their code (are they past-tense or future-tense) -- or both? or neither (asynchronous)?" "What do we like from existing event systems?" "What do we wish event systems did differently?"

While we think we have pretty good answers to these questions now, we won't be sure until we gather more production experience. For this reason, events are implemented as an experimental app module -- not as part of the core. (Remember, Caddy's core currently only loads config and sets up logging/storage.) This means that Caddy's core cannot emit events.[^1] So even though our event implementation may change, it is likely to be only slight and gradual changes; and we encourage anyone and everyone to start using events as soon as possible and to give us your feedback. We think we have the start of a great event system, but we need you to prove it!

Caddy modules can emit events when interesting things happen. For example, the reverse proxy emits healthy and unhealthy events when backends go up and down. The TLS app emits cert_obtaining, cert_obtained, and cert_failed before and after obtaining a certificate or after the operation failed, respectively; and cert_ocsp_revoked after a certificate is discovered to be revoked by OCSP. There are several more events already, with even more to be added later.

Events can have data associated with them. For example, healthy/unhealthy come with the address of the host; cert_obtained has the domain name, issuer, and storage path. You can access this from config in placeholders, e.g. {event.data.identifier}.

Caddy modules can subscribe to events by specifying the name(s) of events to bind to, and the Caddy module ID(s) or namespace(s) to watch. When an event is emitted, it propagates from the module that emitted it up the provisioning heirarchy. This means that an event emitted by http.handlers.reverse_proxy will fire for http.handlers and http as well, similar to the DOM in HTML/JavaScript.

Event handlers are invoked synchronously. We chose this for several reasons. First, despite how easy Go makes concurrency, there are many subtleties to concurrency in a server. Goroutines may be lightweight, but their operations might not be; and if event goroutines are starting more quickly than they are stopping, we either drop events arbitrarily or run out of memory/CPU. Also, we think one of the qualities that differentiates events from logs is the ability for an event to influence the emitting code's flow: a true "hook" in that sense. Instead of simply observing that somet...