v2.7.4

Caddy 2.7.4 rounds out some bug fixes from the 2.7 release. For example, Go made a last-minute breaking change to a new API that broke quic-go (HTTP/3) on Go 1.21 just before Go 1.21 was released; we resolved a few issues with on-demand TLS that are now much improved from the 2.6 tree; a couple race conditions were fixed in dynamic reverse proxy upstreams. We hope you will be pleased with this new version!

Caddy is on feature freeze until after 2.8 so we can improve our testing situation. These patches have all been tried to ensure they work as intended, but if you notice any issues please report them!

We encourage all users to test this new version and then upgrade. Thanks to all who get involved!

Changelog

• 080db93 caddytls: Update docs for on-demand config
• d813550 cmd: Require config for caddy validate (fix #5612) (#5614)
• a8492c0 fileserver: Don't repeat error for invalid method inside error context (#5705)
• 2d7d806 fileserver: Slightly more fitting icons
• f11c3c9 go.mod: Upgrade CertMagic and quic-go
• 5b9c850 go.mod: Upgrade golang.org/x/net to 0.14.0 (#5718)
• 936ee91 reverseproxy: Always return new upstreams (fix #5736) (#5752)
• 431adc0 templates: Fix httpInclude (fix #5698)

New Contributors

• @faddat made their first contribution in #5707
• @shyim made their first contribution in #5718
• @AaronDewes made their first contribution in #5720

Full Changelog: v2.7.3...v2.7.4

v2.7.3

We're pleased to present Caddy 2.7, which makes significant strides in areas of scaling, performance, and niche features.

Special thank-you to @francislavoie, @mohammed90, and other core team members for the ongoing dedication of their time to help maintain the project and help in our forums.

And a big thank-you to everyone else who contributed! You're awesome, and we're glad this project has so many contributors and sponsors to make it possible.

Docs are being updated and will be pushed live shortly. Thank you for your patience and for using Caddy!

(Note: Versions 2.7.0-2.7.2 contain bugs that were hotfixed within minutes and hours and a day of the release. Thank you to everyone who helped with that! And sorry for the trouble, we have learned lessons to help mitigate that in the future.)

Highlights

• The in-memory TLS certificate cache is no longer purged and recreated during config reloads, making reloads extremely lightweight even when managing thousands of certificates.
• Significant HTTP/3 performance improvements (upstream in quic-go) including enabling 0-RTT. Caddy users should notice significantly better throughput for HTTP/3. Thanks for the fantastic work, @marten-seemann!
• New default template for the file server's "browse" listings - more modern, easier to use, grid view, filetype-specific icons, and better dark mode (see #5427 for more screenshots and info)
  
  
• The reverse proxy now supports the PROXY protocol. Using external modules is no longer required; specifically, the plugin by @mastercactapus is now built-in. (#5424)
• Caddyfile now supports Heredoc syntax for long embedded strings/documents. (#5385)
• @francislavoie implemented a suite of enhancements to bring you more reliable, trustworthy client IP information, even through proxies and CDNs (#5104)
• Certificate private keys will no longer be reused when renewing certificates.
• Caddyfile import arg placeholders support slice syntax, e.g. {args[2:]} (#5249)
• Customizable "fallback" policy for reverse proxy in case the primary policy isn't applicable. (#5488)
• Etags are generated more sensibly for NixOS environments which all have Modified time of 1; and if you set your own Etag, it will not be overwritten.
• EXPERIMENTAL: New short flags for the CLI. (#5379)
• EXPERIMENTAL: The reverse proxy may be configured to keep hijacked connections (streams, WebSockets, etc.) open through config reloads. (#5567)
• EXPERIMENTAL: Define "named routes" to reuse them without copying. Caddyfile snippets are useful for reusing config, but reusing the same HTTP routes involves lots of copied config and memory bloat. Named routes let you define a route once and reuse it throughout your HTTP server without copying. It is available for JSON and Caddyfile configs. (#5107)
• EXPERIMENTAL: You can specify permissions for unix sockets. (#4741)
• Many many bug fixes you may or may not notice 🙃

Deprecations and possible breaking changes for some:

• ⚠️ The ask endpoint is now required to enable On-Demand TLS (b97c76f) for catch-all or wildcard hosts. Our docs have always mentioned this is required in production environments, but now the code enforces it. The ask endpoint is not required for local-only or internal-only names (#5384 and a7af7c4).
• ⚠️ The on-demand config's throttle options are now deprecated because the 'ask' endpoint is required. Additionally, the 'ask' endpoint is checked and the throttle is applied before storage is queried for a certificate in order to limit load on the storage backend.
• ⚠️ The long-deprecated lookup_srv feature of the reverse proxy has been removed. It was replaced with the dynamic upstreams feature in 2.6. (#5396)
• ⚠️ The remote_ip forwarded matcher has been deprecated because it assumes trusting downstream proxies. Instead, the client_ip matcher should be used along with trusted_proxies configuration. (#5103 and #5104)
• ⚠️ Placeholder syntax {args.0} is now deprecated in favor of {args[0]}.
• ⚠️ Plugin authors will now need to use http.ResponseController to call Flush() or Hijack() on the response writer. (#5654)

Thank you to everyone who contributed! And thank you to our sponsors who truly make this project possible.

New Contributors

• @esell made their first contribution in #5417
• @krak3n made their first contribution in #5147
• @trea made their first contribution in #5435
• @heimoshuiyu made their first contribution in #5464
• @gucki made their first contribution in #5424
• @kidonng made their first contribution in #5475
• @taophp made their first contribution in #5497
• @eanavitarte made their first contribution in #5515
• @jonatan5524 made their first contribution in #5521
• @jjiang-stripe made their first contribution in #5531
• @TP-O made their first contribution in #5504
• @pistasjis made their first contribution in #5536
• @charles-dyfis-net made their first contribution in #5547
• @jpds made their first contribution in #5554
• @kassienull made their first contribution in #5553
• @Phrynobatrachus made their first contribution in #5532
• @365cent made their first contribution in #5564
• @oncilla made their first contribution in #5573
• @testwill made their first contribution in #5576
• @mmm444 made their first contribution in #5567
• @sabify made their first contribution in #5579
• @omerdemirok made their first contribution in #5586
• @bt90 made their first contribution in #5636
• @ydylla made their first contribution in #5646
• @kkroo made their first contribution in #5648

Full Changelog: v2.6.4...v2.7.3

Changelog

• 3f20a7c acmeserver: Configurable resolvers, fix smallstep deprecations (#5500)
• b1366c7 build(deps): bump actions/setup-go from 3 to 4 (#5474)
• dfe17c3 caddyconfig: Specify config adapter for HTTP loader (close #5607)
• f3379f6 caddyfile: Fix heredoc fuzz crasher, drop trailing newline (#5404)
• 960150b caddyfile: Implement heredoc support (#5385)
• 8bc05e5 caddyfile: Implement variadics for import args placeholders (#5249)
• 53b6fab caddyfile: Stricter parsing, error for brace on new line (#5505)
• cee4441 caddyfile: Do not replace import tokens if they are part of a snippet (#5539)
• 9cde715 caddyfile: Track import name instead of modifying filename (#5540)
• bbe1952 caddyfile: Fix comparing if two tokens are on the same line (#5626)
• 9f34383 caddyfile: check that matched key is not a substring of the replacement key (#5685)
• cfc85ae caddyhttp: Add a getter for Server.name (#5531)
• 05e9974 caddyhttp: Determine real client IP if trusted proxies configured (#5104)
• c05e389 caddyhttp: Enable 0-RTT QUIC (#5425)
• 8537586 caddyhttp: Fix vars_regexp matcher with placeholders (#5408)
• 1c9ea01 caddyhttp: Impl ResponseWriter.Unwrap(), prep for Go 1.20's ResponseController (#5509)
• cbf16f6 caddyhttp: Implement named routes, invoke directive (#5107)
• 2b3046d caddyhttp: Log request body bytes read (#5461)
• 96919ac caddyhttp: Refactor cert Managers (fix #5415) (#5533)
• d8d87a3 caddyhttp: Serve http2 when listener wrapper doesn't return *tls.Conn (#4929)
• 808b05c caddyhttp: Update quic's TLS configs after reload (#5517) (fix #4849)
• 2945264 caddyhttp: Fix h3 shutdown (#5541)
• 6a41b62 caddyhttp: Support custom network for HTTP/3 (#5573)
• a7af7c4 caddytls: Allow on-demand w/o ask for internal-only
• cd486c2 caddyhttp: Make use of http.ResponseController (#5654)
• 18c309b caddyhttp: Preserve original error (fix #5652)
• 66114cb caddyhttp: Trim dot/space only on Windows (fix #5613)
• a02ecb0 caddytls: Check for nil ALPN; close #5470 (#5473)
• faf0399 caddytls: Configurable fallback SNI (#5527)
• e16a886 caddytls: Eval replacer on automation policy subjects (#5459)
• be53e43 caddytls: Relax the warning for on-demand (#5384)
• b97c76f caddytls: Require 'ask' endpoint for on-demand TLS
• 0cc49c0 caddytls: Zero out throttle window first (#5443)
• 4ba03c9 caddytls: Clarify some JSON config docs
• 0e2c7e1 caddytls: Reuse certificate cache through reloads (#5623)
• b301a3d celmatcher: Implement pkix.Name conversion to string (#5492)
• 096971e ci/cd: ship tarballs with vendored deps (#5403)
• 5ded580 cmd: Adjust documentation for commands (#5377)
• 508cf2a cmd: Create pidfile before config load (close #5477)
• 9e69195 cmd: Exp...

v2.7.2

Do not use this release, use v2.7.3 instead which contains several hot fixes.

v2.7.1

Do not use this release; use v2.7.3 instead. It contains a hotfix for a WebSocket issue.

v2.7.0

Do not use this release, use v2.7.3 instead which contains hot fixes.

v2.7.0-beta.2

This release is obsolete. Please see the next release for the notes.

v2.7.0-beta.1

This release is obsolete. Please see the next release for notes.

v2.6.4

This release contains a hotfix for a regression in v2.6.3 related to proxying chunked requests. We recommend that all users who do so upgrade to v2.6.4.

Note that, in an effort to make error-prone configs less likely, we have deprecated the reverse proxy options:

• buffer_requests
• buffer_responses
• max_buffer_size

and have introduced 2 new ones which take a size argument to enable buffering:

• request_buffers <size>
• response_buffers <size>

The deprecated options will be removed in a later version of Caddy, so please start using the new parameters instead.

Changelog

• 0db29e2 go.mod: Upgrade acmez and x/net
• 4b119a4 reverseproxy: Don't buffer chunked requests (fix #5366) (#5367)

v2.6.3

This release brings a number of bug fixes and minor features. We recommend that all users check the release notes/commits, then test and upgrade.

Notable changes:

• New trusted_proxies global option (within servers) can be used to specify trusted proxy IP ranges globally. This is important if relying on headers for client IP addresses.
• Unix sockets on Windows now supported as proxy upstreams.
• Proxied WebSocket connections are now logged with correct status code and "size" (bytes read + bytes written).
• The quic-go package has received significant optimizations, so HTTP/3 should be more efficient now.

Thank you to everyone who contributed to this release!

Changelog

• bfaf2a8 acme_server: Configurable default lifetime for issued certificates (#5232)
• ac83b7e admin: Add CADDY_ADMIN env var to override the default (#5332)
• ac96455 admin: fix certificate renewal for admin (#5169)
• 762b027 admin: set certmagic cache logger (#5173)
• 329af5c build(deps): bump actions/cache from 2 to 3 (#5263)
• 3b724a2 build(deps): bump actions/upload-artifact from 1 to 3 (#5262)
• af93517 build(deps): bump goreleaser/goreleaser-action from 2 to 4 (#5264)
• cd49847 build(deps): bump peter-evans/repository-dispatch from 1 to 2 (#5261)
• 8d3a1b8 caddyauth: Use singleflight for basic auth (#5344)
• bbe3663 caddyconfig: Fix httploader leak from unused responses (#5159)
• 7f2a93e caddyfile: Allow overriding server names (#5323)
• 223cbe3 caddyhttp: Add server-level trusted_proxies config (#5103)
• 087f126 caddyhttp: Canonicalize header field names (#5176)
• 12bcbe2 caddyhttp: Pluggable trusted proxy IP range sources (#5328)
• ed50311 caddyhttp: add placeholder {http.request.orig_uri.path.*} (#5161)
• 33fdea8 caddypki: Prefer user-configured root instead of generating new one (#5189)
• 6f8fe01 caddypki: Use go.step.sm/crypto to generate the PKI (#5217)
• 1fa4cb7 caddytest: Increased sleep between retries to reduce flakey tests in CI (#5160)
• fef9cb3 caddytest: internalize init config into '.go' file (#5230)
• 55035d3 caddytls: Add dns_ttl config, improve Caddyfile tls options (#5287)
• 66ce0c5 caddytls: Add test cases for Caddyfile tls options (#5293)
• 0a3efd1 caddytls: Debug log for ask endpoint
• 94b8d56 cmd: Add --envfile flag to validate command (#5350)
• a999b70 cmd: Add missing \n to HelpTemplate (#5151)
• c3b5b18 cmd: Avoid panic when printing version without build info (#5210)
• 5805b3c cmd: caddy fmt return code is 1 if not formatted (#5297)
• 8c0b49b cmd: fmt exit successfully after overwriting config file (#5351)
• f20a8e7 cmd: replace deprecate func use (#5170)
• 536c28d core: Support Windows absolute paths for UDS proxy upstreams (#5114)
• dac7cac encode: Respect Cache-Control no-transform (#5257)
• 4e9ad50 fileserver: Add a couple test cases
• 4bf6cb4 fileserver: Reject ADS and short name paths; trim trailing dots and spaces on Windows (#5148)
• a3ae146 fileserver: Reject non-GET/HEAD requests (close #5166) (#5167)
• e8ad9b3 go.mod: Update golang.org/x/net to v0.5.0 (#5314)
• fac35db go.mod: Update quic-go to v0.31.0
• 798c4a3 go.mod: Upgrade some dependencies
• 90798f3 go.mod: Upgrade various dependencies (#5362)
• 98867ac go.mod: bump tscert package to fix Tailscale 1.34+ on Windows (#5331)
• d73660f httpcaddyfile: Add persist_config global option (#5339)
• c38a040 httpcaddyfile: Fix handle grouping inside route (#5315)
• d6d7511 httpcaddyfile: Warn on importing empty file; skip dotfiles (#5320)
• 817470d httploader: Close resp body on bad status code
• 72e7edd map: Clarified how destination values should be formatted (#5156)
• e9d95ab reverseproxy: Add flag to short command to disable redirects (#5330)
• e450a73 reverseproxy: Don't enable auto-https when --from flag is http (#5269)
• 845bc4d reverseproxy: Fix hanging for Transfer-Encoding: chunked (#5289)
• d4a7d89 reverseproxy: Improve hostByHashing distribution (#5229)
• c77a6be reverseproxy: Log status code and byte count for websockets (#5140)
• ee7c92e reverseproxy: Mask the WS close message when we're the client (#5199)
• d74f6fd reverseproxy: Set origreq in active health check (#5284)
• 9623102 tracing: Support placeholders in span name (#5329)

v2.6.2

This release brings a number of bug fixes and minor enhancements. All users should upgrade after testing and verifying their setups. Thank you to all who contributed!

If you are coming from < 2.6, please see the 2.6 release notes because a lot is new!

Changelog

• 037dc23 admin: Use replacer on listen addresses (#5071)
• 498f32b caddyconfig: Implement retries into HTTPLoader (#5077)
• 9873ff9 caddyhttp: Remote IP prefix placeholders
• 61822f1 caddyhttp: replace placeholders in map defaults (#5081)
• e07a267 caddytest: Revise sleep durations
• 253d97c core: Chdir to executable location on Windows (#5115)
• ab720fb core: Fix ListenQUIC listener key conflict
• e3e8aab core: Refactor and improve listener logic (#5089)
• e4fac12 core: Set version manually via CustomVersion (#5072)
• f7c1a51 fastcgi: Redirect using original URI path (fix #5073)
• 2be56c5 fileserver: Treat invalid file path as NotFound (#5099)
• b1d04f5 fileserver: better dark mode visited link contrast (#5105)
• 33f60da fileserver: stop listing dir when request context is cancelled (#5131)
• 2153a81 forwardauth: Canonicalize header fields (fix #5038) (#5097)
• fe91de6 go.mod: Upgrade select dependencies
• 7041970 headers: Support repeated WriteHeader if 1xx (fix #5074)
• d46ba2e httpcaddyfile: Fix metrics global option parsing (#5126)
• 6bad878 httpcaddyfile: Improve detection of indistinguishable TLS automation policies (#5120)
• 2808de1 httpcaddyfile: Skip automate when auto_https off is specified (#5110)
• 3e1fd2a httpcaddyfile: Wrap site block in subroute if host matcher used (#5130)
• 9e1d964 logging: Add time_local option to use local time instead of UTC (#5108)
• 01e192e logging: Better console encoder defaults (#5109)
• 99ffe93 logging: Fix skip_hosts with wildcards (#5102)
• ea58d51 logging: Perform filtering on arrays of strings (where possible) (#5101)
• 5e52bbb map: Remove infinite recursion check (#5094)
• b4e28af replacer: working directory global placeholder (#5127)
• e2991eb reverseproxy: On 103 don't delete own headers (#5091)
• 2a8c458 reverseproxy: Parse humanized byte size (fix #5095)
• d055692 reverseproxy: fix upstream scheme handling in command (#5088)
• 013b510 rewrite: Only trim prefix if matched

New Contributors

• @lemmi made their first contribution in #5088
• @willnorris made their first contribution in #5081
• @yroc92 made their first contribution in #5071
• @iliana made their first contribution in #5105
• @TobiX made their first contribution in #5106
• @likev made their first contribution in #5099
• @cherouvim made their first contribution in #5121

Full Changelog: v2.6.1...v2.6.2