v2.6.0-beta.5

This release and beta.4 are mainly tests of our CI, but also contains a bunch of small fixes or enhancements, including, notably, the use of sendfile and other optimizations. See the release notes for beta.3 for everything else until 2.6.0 lands soon. Full release notes coming!

Please see v2.6.0 instead.

v2.6.0-beta.3

This is the first beta release for Caddy 2.6. Please try it out and report any regressions you notice! Thanks to everyone who helped out! 😊

Beta 1 and beta 2 were trial runs for our CI upgrades, so this is technically beta 3. There are no code changes from beta 1 to beta 3. Thank you @mohammed90 for figuring out the CI magic!

Please see the v2.6.0 release.

Changelog: v2.5.2...v2.6.0-beta.3

v2.5.2

This patch release fixes bugs, adds some new features, and makes worthwhile enhancements. We recommend everyone test and upgrade!

Many improvements have been made to the reverse_proxy module.

Highlights:

• New /adapt admin endpoint: Use your installed config adapters via API in addition to the existing caddy adapt CLI command.
• New Etag/If-Match support for config API: Safely update your config concurrently and avoid collisions by using our unique Etag implementation.
• Rename copied headers from reverse_proxy: If you're using handle_response, you can more easily map headers to a different name for clients.
• Many HTTP matchers have been added to CEL: You can now use the logic of our HTTP request matchers in CEL expressions.
• Notable bug fixes: EAB reuse, various QUIC & HTTP/3 fixes, more specific HTTP status codes, various reverse proxy fixes.

Changelog

• 660c59b admin: Implement /adapt endpoint (close #4465) (#4846)
• ad3a83f admin: expect quoted ETags (#4879)
• f259ed5 admin: support ETag on config endpoints (#4579)
• 1498132 caddyhttp: Log error from CEL evaluation (fix #4832)
• 0a14f97 caddytls: Make peer certificate verification pluggable (#4389)
• 412dcc0 caddytls: Reuse issuer between PreCheck and Issue (#4866)
• 499ad6d core: Micro-optim in run() (#4810)
• c0f76e9 fileserver: Use safe redirects in file browser
• 58e05ca forwardauth: Fix case when copy_headers is omitted (#4856)
• 0b6f764 forwardauth: Support renaming copied headers, block support (#4783)
• 8bac134 go.mod: Bump up quic-go to v0.28.0, fixes for BC breaks (#4867)
• 3d18bc5 go.mod: Update go-yaml to v3
• 5601393 go.mod: Update some dependencies
• 8e6bc36 go.mod: Upgrade some dependencies
• 53c4d78 headers: Only replace known placeholders (#4880)
• 0bcd02d headers: Support wildcards for delete ops (close #4830) (#4831)
• 58970ca httpcaddyfile: Add {err.*} placeholder shortcut (#4798)
• b687d7b httpcaddyfile: Support multiple values for default_bind (#4774)
• a926779 reverseproxy: Add --internal-certs CLI flag #3589 (#4817)
• aaf6794 reverseproxy: Add renegotiation param in TLS client (#4784)
• 54d1923 reverseproxy: Adjust new TLS Caddyfile directive names (#4872)
• 7f9b1f4 reverseproxy: Correct the tls_server_name docs (#4827)
• c82fe91 reverseproxy: Dynamic ServerName for TLS upstreams (#4836)
• d6bc9e0 reverseproxy: Err 503 if all upstreams unavailable
• 98468af reverseproxy: Fix double headers in response handlers (#4847)
• 25f1051 reverseproxy: Fix panic when TLS is not configured (#4848)
• 5e729c1 reverseproxy: HTTP 504 for upstream timeouts (#4824)
• f9b42c3 reverseproxy: Make TLS renegotiation optional
• b6e96fa reverseproxy: Skip TLS for certain configured ports (#4843)
• 57d27c1 reverseproxy: Support http1.1>h2c (close #4777) (#4778)
• 9864b13 reverseproxy: api: Remove misleading 'healthy' value
• 693e9b5 rewrite: Handle fragment before query (fix #4775)
• 6891f7f templates: Add humanize function (#4767)
• 9e760e2 templates: Documentation consistency (#4796)

New Contributors

• @nekohasekai made their first contribution in #4782
• @davidbgk made their first contribution in #4796
• @git001 made their first contribution in #4767
• @varianone made their first contribution in #4817
• @Gr33nbl00d made their first contribution in #4389
• @yaslama made their first contribution in #4784
• @kresike made their first contribution in #4836
• @TristonianJones made their first contribution in #4715
• @jhwz made their first contribution in #4579

Full Changelog: v2.5.1...v2.5.2

v2.5.1

This is a minor patch release that fixes some bugs and also enhances reverse_proxy with capabilities that weren't ready in time for v2.5.0.

Highlights

• Fixed regression in Unix socket admin endpoints.
• Fixed regression in caddy trust commands.
• Hash-based load balancing policies (ip_hash, uri_hash, header, and cookie) use an improved highest-random-weight (HRW) algorithm for increased consistency. The new rendezvous hash will ensure a client or request is consistently mapped to a particular upstream even if the list of upstreams changes.
• The reverse proxy is now able to rewrite the method and URI on its internal copy of the request that goes to the upstream. Combined with new handle_response capabilities, this enables the reverse proxy to fire off "pre-check requests" (for lack of a better term) to make routing decisions based on the results of that call. This enables a commonly-emerging pattern called forward authentication wherein a backend is queried to assess a client's authorization to be proxied. The full, verbose config for this is very flexible but tedious, so we made a new wrapper directive called forward_auth that eliminates the boilerplate (very similar to the php_fastcgi directive):

forward_auth authelia:9091 {
	uri /api/verify?rd=https://auth.example.com
	copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}

This works with authentication providers like Authelia, and more.

What's Changed

• caddypki: Fix caddy trust command to use the correct API endpoint by @francislavoie in #4730
• reverseproxy: Improve hashing LB policies with HRW by @mholt in #4724
• Add missing backticks by @mahgoh in #4737
• caddyhttp: Improve listen addr error message for IPv6 by @francislavoie in #4740
• cmd: Fix unix socket addresses for admin API requests by @francislavoie in #4742
• logging: Use RedirectStdLog by @francislavoie in #4732
• logging: Implement rename filter, changes field key names by @francislavoie in #4745
• httpcaddyfile: Fix duplicate access log when debug is on by @francislavoie in #4746
• reverseproxy: Fix Caddyfile support for replace_status by @francislavoie in #4754
• templates: Add custom template function registration by @kroppt in #4757
• reverseproxy: Permit resolver addresses to not specify a port by @francislavoie in #4760
• caddyfile: Shortcut for remote_ip for private IP ranges by @francislavoie in #4753
• reverseproxy: Support performing pre-check requests by @francislavoie in #4739
• map: Prevent output destinations overlap with Caddyfile shorthands by @francislavoie in #4657

New Contributors

• @mahgoh made their first contribution in #4737

Changelog

• ec86a2f caddyfile: Shortcut for remote_ip for private IP ranges (#4753)
• dcc98da caddyhttp: Improve listen addr error message for IPv6 (#4740)
• d543ad1 caddypki: Fix caddy trust command to use the correct API endpoint (#4730)
• 2e4c091 cmd: Fix unix socket addresses for admin API requests (#4742)
• af73215 httpcaddyfile: Fix duplicate access log when debug is on (#4746)
• 0be3d99 logging: Implement rename filter, changes field key names (#4745)
• 3017b24 logging: Use RedirectStdLog to capture more stdlib logs (#4732)
• f7be0ee map: Prevent output destinations overlap with Caddyfile shorthands (#4657)
• 4a223f5 reverseproxy: Fix Caddyfile support for replace_status (#4754)
• 40b193f reverseproxy: Improve hashing LB policies with HRW (#4724)
• e7fbee8 reverseproxy: Permit resolver addresses to not specify a port (#4760)
• f6900fc reverseproxy: Support performing pre-check requests (#4739)
• e84e19a templates: Add custom template function registration (#4757)
• 3ab6483 templates: Add missing backticks in docs (#4737)

Full Changelog: v2.5.0...v2.5.1

v2.5.0

Caddy 2.5 introduces new features you'll love as well as a huge number of bug fixes and enhancements. Thank you to everyone who contributed!

Feel free to ask on the forum if you have any questions or feedback.

Highlights

• Reverse proxy: ✨ Dynamic upstreams, which is the ability to get the list of upstreams at every request (more specifically, every iteration in the proxy loop of every request) rather than just once at config-load time. Dynamic upstream modules can be plugged in to provide Caddy with the latest list of backends in real-time. Two standard modules have been implemented which can get upstreams from SRV and A/AAAA record lookups.
  • ⚠️ This deprecates the lookup_srv JSON field for upstreams (and srv+ scheme prefix in the Caddyfile), which will be removed in the future.
• Automatic HTTPS: Caddy will automatically try to get relevant certificates from the local Tailscale instance (if running with permission to access the Tailscale socket). This makes services running on a Tailscale network automatically available over trusted HTTPS with Caddy.
• Tracing: New OpenTelemetry integration with the tracing handler module and associated tracing directive.
• Reverse proxy: When using the response handlers, a new handler copy_response is available to copy the proxy's response back to the client, and copy_response_headers may be used to selectively copy header values from the proxy's response.
• API: Added new endpoints /pki/ca/<id> and /pki/ca/<id>/certificates for getting information about Caddy's managed CAs, including the chain of root and intermediate certificates.

Notable

• Reverse proxy: The X-Forwarded-Host header will now be automatically set, along with X-Forwarded-For and X-Forwarded-Proto.
• ⚠️ Reverse proxy: Incoming X-Forwarded-* headers will no longer be automatically trusted, to prevent spoofing. Now, trusted_proxies must be configured to specify a list of downstream proxies which are trusted to have sent good values. You only need to configure trusted proxies if Caddy is not the first server being connected to. For example, if you have Cloudflare in front of Caddy, then you should configure this with Cloudflare's list of IP ranges.
• Automatic HTTPS: Revoked certificates will be automatically replaced more reliably.
• Automatic HTTPS: Can now get certificates from Managers. As opposed to Issuers (such as the default ACME issuers) which give Caddy certificates to manage from a CSR, Managers give Caddy certificates to serve (rather than manage) during TLS handshakes.
• Automatic HTTPS: A DNS challenge domain override can be configured to delegate the solving of the challenge to a different domain.
• Automatic HTTPS: The DNS challenge propagation checks can now be delayed or disabled by setting propagation_delay or propagation_timeout to -1, respectively.
• Reverse proxy: The default dial timeout for the HTTP transport has been adjusted down to 3s (was 10s), which should allow for more easily configuring load balancing retries.
• Logging: HTTP access logs will now render empty values for often-sensitive HTTP headers such as Cookie, Authorization, and Proxy-Authorization. Logging such credentials is now opt-in with the log_credentials global option in the Caddyfile, or the server's logs > should_log_credentials field in JSON.
• Logging: Logs can now be filtered by query string parameters, cookie values, and regular expressions; and log values can be hashed. These features are useful for redacting sensitive information.
• Logging: Errors during request handling will now be logged at DEBUG level if the error was handled via errors routes (handle_errors in Caddyfile).
• ⚠️ Logging: Removed the deprecated common_log field from HTTP access logs, and the single_field encoder. If you relied on this, you may use the transform encoder plugin to encode logs in Common Log format.
• ⚠️ Logging: The remote_addr field has been replaced by remote_ip and remote_port fields in HTTP access logs, which split up the two parts of the remote address. This improves ease of use for some tooling which only expect an IP address, without a port.
• HTTP server: The vars matcher can now match on multiple possible values.
• HTTP server: Requests can now be assigned a random and unique UUID from the new {http.request.uuid} placeholder.
• HTTP server: New http_redirect listener wrapper which can be used to redirect HTTP requests that come in on a server listening for HTTPS requests to be redirected to https://.
• ⚠️ Caddyfile: Deprecated paths in site addresses. Prefer using path matchers within your site block instead.
• Caddyfile: New default_bind global option lets you specify the default interface all sockets should bind to.
• Caddyfile: New pki global option lets you configure the properties of the internal CAs managed by Caddy.
• Caddyfile: New method directive allows rewriting the request method via Caddyfile.
• ⚠️ Caddyfile: The reverse_proxy directive's handle_response subdirective has had its status replacement functionality moved to a new replace_status subdirective. This makes sure that the functionality of handle_response is not overloaded, and usage is clearer.
• Caddyfile: The map directive now casts outputs to the appropriate scalar type if possible (int, float, bool). If you need to force a string, you may use double quotes or backticks #4643.
• Caddyfile: New vars directive allows setting some variables during request handling for later use in another handler or matcher.
• Caddyfile: The Caddyfile adapter is now stricter about curly braces for block openers to try to prevent parsing ambiguities.
• Caddyfile: The caddy fmt CLI command now has a --diff option which lets you visually see the formatting differences.
• ⚠️ Admin: Renamed experimental property load_interval ➡️ load_delay for clarification, and improved dynamic config loading.

---

🛡️ Thanks to David Leadbeater for reporting a security vulnerability related to HTTP methods and metrics cardinality, which was fixed in this release.

New Contributors

• @adamburgess made their first contribution in #4460
• @12f23eddde made their first contribution in #4444
• @rayjlinden made their first contribution in #4023
• @GallopingKylin made their first contribution in #4522
• @ForestJohnson made their first contribution in #4534
• @VojtechVitek made their first contribution in #4535
• @Ikke made their first contribution in #4544
• @YourTechBud made their first contribution in #4603
• @BitWuehler made their first contribution in #4597
• @ttys3 made their first contribution in #4572
• @crccw made their first contribution in #4596
• @andriikushch made their first contribution in #4361
• @renbou made their first contribution in #4654
• @cuishuang made their first contribution in #4702

Changelog

• 2e46c2a admin, reverseproxy: Stop timers if canceled to avoid goroutine leak (#448...

v2.5.0-rc.1

Please see the release notes for v2.5.0. In fact, just use v2.5.0 instead.

Interim Changelog: v2.5.0-beta.1...v2.5.0-rc.1

v2.5.0-beta.1

Please see the release notes for v2.5.0-rc.1. In fact, just use v2.5.0-rc.1 instead.

Interim Changelog: v2.4.6...v2.5.0-beta.1

v2.4.6

This release contains bug fixes and minor enhancements, including one patch with potential security implications related to path matching.

Notable patches:

• Path matchers unescape/clean URI paths to normalize match space
• Fix regex matching in map handler

Notable enhancements:

• try_files can now accept =nnn (e.g. =404) to yield a status code instead of a file.
• Template actions httpError (stop eval and return HTTP error) and import (like include but changes template context) were added
• New placeholder {http.request.tls.client.certificate_der_base64}

Changelog

749e55c caddycmd: Add --keep-backup to upgrade commands (#4387)
062657d caddycmd: Add --skip-standard to list-modules command, quieter output (#4386)
be5f77e caddycmd: fix caddy validate/fmt help message (#4377)
907e2d8 caddyhttp: Add support for triggering errors from try_files (#4346)
cbb045a caddyhttp: Placeholder for client cert in DER + base64 format (#4241)
e7457b4 caddyhttp: Sanitize the path before evaluating path matchers (#4407)
837cdc5 caddyhttp: reverseproxy: clarify warning for -insecure (#4379)
24fda75 caddytls: Mark storage clean timestamp at end of routine (#4401)
a779e1b fastcgi: Fix Caddyfile parsing when handle_response is used (#4342)
3f2c3ec fastcgi: Implement try_files override in Caddyfile directive (#4347)
64f8b55 fileserver: Fix compression breaks using httpInclude (#4352) (#4358)
d3a0259 fileserver: Fix displayed file size if it is symlink (#4354)
0a5f7a6 fileserver: Make file listing links purple once visited (#4356)
a21d5a0 fileserver: Prevent focusing filter from scrolling on page load (#4393)
33c70f4 fileserver: properly handle escaped/non-ascii paths (#4332)
c4790d7 go.mod: Carefully upgrade some dependencies (fix #4251)
997e41d go.mod: Replace promptui with Apache-compatible fork (fix #4394)
f376a38 go.mod: Update ACMEz and CertMagic
a437206 headers: Canonicalize case in replace (fix #4330)
012d235 httpcaddyfile: Empty tls policy for internal http localhost (#4398)
0ffb222 httpcaddyfile: Preserve IPv6 addresses through normalization (fix #4381)
a2119c0 map: Fix 95c0350 (avoid repeated expansions)
95c0350 map: Fix regex mappings
3336faf reverseproxy: Log error at error level (fix #4360)
b092061 reverseproxy: Prevent copying the response if a response handler ran (#4388)
f73f55d reverseproxy: Sanitize scheme and host on incoming requests (#4237)
5fda961 templates: Add 'import' action (#4321)
16f7521 templates: Add tests for funcInclude and funcImport (#4357)
2392478 templates: Propagate httpError to HTTP response

v2.4.5

A hotfix for a regression introduced in v2.4.4 related to combining the encode and reverse_proxy directives. Please see the v2.4.4 release notes for a more complete changelog.

Changelog

9f6393c cmd: export CaddyVersion(), Commands() (#4316)
4ebf100 encode: ignore flushing until after first write (#4318)
46ab93b go.mod: Update CertMagic

v2.4.4

This release contains numerous bug fixes, updated dependencies, and QoL improvements.

Update: This release contains a known regression in the combination of encode and reverse_proxy modules; please use v2.4.5 instead.

Thanks to all contributors, and a special thanks to @francislavoie and @mohammed90 for their dedication in helping to maintain the project and help others.

Changelog

0bdb8aa acmeserver: Don't set host for directory links by default
2de7e14 acmeserver: Trim slashes from path prefix
c131339 admin: Implement load_interval to pull config on a timer (#4246)
a10910f admin: Sync server variables (fix #4260) (#4274)
51f125b caddyfile: Better error message for missing site block braces (#4301)
d74913f caddyfile: Error on invalid site addresses containing comma (#4302)
b6f5125 caddyfile: keep error chain info in Dispenser.Errf (#4233)
1c6c771 caddyhttp: Fix edgecase with auto HTTP->HTTPS logic (#4243)
42e140b caddyhttp: Fix incorrect determination of gRPC protocol (#4236)
c1cd192 caddyhttp: Updated the documentation for MatchQuery (#4295)
81e5318 caddytls: Remove "IssuerRaw" field
ce5a45d cmd: Fix paths when using an env file (#4296)
68c5c71 cmd: New add-package and remove-package commands (#4226)
9e333c3 cmd: use net.ErrClosed for matching returned error (#4289)
1b1e625 core: Unix ns and Unix ms time placeholders (#4280)
69c9144 encode: Tweak compression settings (#4215)
4245ceb fileserver: Add disable_canonical_uris Caddyfile subdirective (#4222)
191dc86 fileserver: Clarify docs about canonicalization
9e16e80 fileserver: Fix browse name_dir_first sorting (#4218)
885a9aa go.mod: Update dependencies (close #4216)
f43fd6f go.mod: Upgrade CertMagic to v0.14.4
84b906a go.mod: Upgrade some dependencies
ab32440 httpcaddyfile: Add shortcut for proxy hostport placeholder (#4263)
b3d35a4 httpcaddyfile: Don't put localhost in public APs (fix #4220)
569ecdb httpcaddyfile: Ensure hosts to skip for logs can always be collected (#4258)
bfbc459 httpcaddyfile: Improve unrecognized directive errors
403732c httpcaddyfile: Reorder some directives (#4311)
46d99ab logging: Add missing interface guards for replace filter (#4244)
124ba1b logging: Prep for common_log removal (#4149)
8a974a4 logging: Warn for deprecated single_field encoder
e6c29ce reverseproxy: Incorporate latest proxy changes from stdlib (#4266)
d882211 reverseproxy: Keep path to unix socket as dial address (#4232)
f70a757 reverseproxy: Remove redundant flushing (#4299)