v2.4.5

A hotfix for a regression introduced in v2.4.4 related to combining the encode and reverse_proxy directives. Please see the v2.4.4 release notes for a more complete changelog.

Changelog

9f6393c cmd: export CaddyVersion(), Commands() (#4316)
4ebf100 encode: ignore flushing until after first write (#4318)
46ab93b go.mod: Update CertMagic

v2.4.4

This release contains numerous bug fixes, updated dependencies, and QoL improvements.

Update: This release contains a known regression in the combination of encode and reverse_proxy modules; please use v2.4.5 instead.

Thanks to all contributors, and a special thanks to @francislavoie and @mohammed90 for their dedication in helping to maintain the project and help others.

Changelog

0bdb8aa acmeserver: Don't set host for directory links by default
2de7e14 acmeserver: Trim slashes from path prefix
c131339 admin: Implement load_interval to pull config on a timer (#4246)
a10910f admin: Sync server variables (fix #4260) (#4274)
51f125b caddyfile: Better error message for missing site block braces (#4301)
d74913f caddyfile: Error on invalid site addresses containing comma (#4302)
b6f5125 caddyfile: keep error chain info in Dispenser.Errf (#4233)
1c6c771 caddyhttp: Fix edgecase with auto HTTP->HTTPS logic (#4243)
42e140b caddyhttp: Fix incorrect determination of gRPC protocol (#4236)
c1cd192 caddyhttp: Updated the documentation for MatchQuery (#4295)
81e5318 caddytls: Remove "IssuerRaw" field
ce5a45d cmd: Fix paths when using an env file (#4296)
68c5c71 cmd: New add-package and remove-package commands (#4226)
9e333c3 cmd: use net.ErrClosed for matching returned error (#4289)
1b1e625 core: Unix ns and Unix ms time placeholders (#4280)
69c9144 encode: Tweak compression settings (#4215)
4245ceb fileserver: Add disable_canonical_uris Caddyfile subdirective (#4222)
191dc86 fileserver: Clarify docs about canonicalization
9e16e80 fileserver: Fix browse name_dir_first sorting (#4218)
885a9aa go.mod: Update dependencies (close #4216)
f43fd6f go.mod: Upgrade CertMagic to v0.14.4
84b906a go.mod: Upgrade some dependencies
ab32440 httpcaddyfile: Add shortcut for proxy hostport placeholder (#4263)
b3d35a4 httpcaddyfile: Don't put localhost in public APs (fix #4220)
569ecdb httpcaddyfile: Ensure hosts to skip for logs can always be collected (#4258)
bfbc459 httpcaddyfile: Improve unrecognized directive errors
403732c httpcaddyfile: Reorder some directives (#4311)
46d99ab logging: Add missing interface guards for replace filter (#4244)
124ba1b logging: Prep for common_log removal (#4149)
8a974a4 logging: Warn for deprecated single_field encoder
e6c29ce reverseproxy: Incorporate latest proxy changes from stdlib (#4266)
d882211 reverseproxy: Keep path to unix socket as dial address (#4232)
f70a757 reverseproxy: Remove redundant flushing (#4299)

v2.4.3

Guess what: this is our 100th release! 🎉 🥳 🎊

A bug fix for the bug fix, and a couple other bug fixes, including one security fix for PHP sites. We think all users should upgrade after giving it a whirl in their test environments. Please note some changes in this patch:

• ⚠️ In reverse_proxy, the max_idle_conns_per_host option has been removed (both Caddyfile and JSON). This may be a breaking change for a few of you, but it only breaks configs that relied on a bug. Instead of silently failing, you will get an error if you continue using the property. For Caddyfile, we basically renamed the property to keepalive_idle_conns_per_host. In JSON, we simply removed the property, and you should instead set keep_alive/max_idle_conns_per_host if you weren't already. Previously, the Caddyfile subdirective set both MaxConnsPerHost and MaxIdleConnsPerHost, which was confusing; and the JSON properties overwrote each other, so one was removed. Issue #4201.
• 🛡️ Security patch in the FastCGI transport that now sanitizes paths against directory traversal outside the site root. PR #4207.
• 🐛 Fix canonicalization redirects in file_server. v2.4.2 introduced a bugfix (#4179) for these redirects when used inside handle_path (i.e. rewriting the path by stripping a prefix), but caused a regression for many other use cases. This release includes a proper fix for all known, tested cases. Basically: these redirects are not issued if the filename of a path was rewritten internally. Issue #4205.

Changelog

9d4ed3a caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
e8ae80a fileserver: Don't persist parsed template (fix #4202)
fbd6560 fileserver: Only redirect if filename not rewritten (fix #4205)
32c284b reverseproxy: Adjust test related to #4201
7c68809 reverseproxy: Fix overwriting of max_idle_conns_per_host (closes #4201)

v2.4.2

A few enhancements and bug fixes. Thanks to all who contributed to this release!

Changelog

323ffd2 admin: Replace admin cert cache when reloading (fix #4184)
4c2da18 caddytls: Add Caddyfile support for propagation_timeout (#4178)
76913b1 fileserver: Fix browse not redirecting query parameters (#4196)
f9b5445 fileserver: Redirect within the original URL (#4179)
ecd5eea go.mod: Update direct dependencies
89aa3a5 go.mod: Use CertMagic v0.14.0 (fix #4191)
1e92258 httpcaddyfile: Add preferred_chains global option and issuer subdirective (#4192)
658772f httpcaddyfile: Add skip_install_trust global option (#4153)
05656a6 httpcaddyfile: Don't add HTTP hosts to TLS APs (fix #4176 and fix #4198)
94b7120 logging: Actually use level_key (#4189)
7b500e7 metrics: use buildinfo collector from new collectors pkg (#4187)
2a81094 reverseproxy: Always remove hop-by-hop headers

v2.4.1

A small patch release that contains a few noncritical but pleasant fixes (unless you're using /id/ endpoints in the admin API; then you should definitely get this update).

Changelog

7f26a6b admin: Reinstate internal redirect for /id/ requests
b82db99 caddyfile: Add parse error on site address with trailing { (#4163)
2aefe15 cmd: upgrade: inherit the permissions of the original executable (#4160)
dbe164d httpcaddyfile: Fix automation policy consolidation again (fix #4161)
e3c369d logging: Implement dial timeout for net writer (fix #4083) (#4172)
aef8d4d reverseproxy: Set the headers in the replacer before handle_response (#4165)

v2.4.0

Caddy v2.4.0 is our first stable release of 2021, ushering in over 110 patches including new features and bug fixes. Thank you to the many contributors who helped make this possible!

Highlights:

• Secure remote management. You can now enable secure remote access to Caddy's admin API! It uses TLS mutual authentication, and you can even define permissions for different users. PR #3994
• Config pull at start. Caddy can be configured to load a different config at startup. This is useful if your config is federated through a separate system that doesn't have the ability to push configs to Caddy. This feature is modular, so configurations can be loaded different ways! PR #3994
• Server identity management. Caddy can automatically manage its own server identity certificate, which can be used when negotiating TLS connections with peers. This is required when enabling the secure admin API. PR #3994
• Self-upgrade command. The new caddy upgrade command will replace the current Caddy binary with an upgraded one from our website, with all the same modules installed, including third-party plugins that are registered on our site! (We can use this code to add/remove modules later, too.)
• Configure other apps from the HTTP Caddyfile. The global options block of the Caddyfile now allows configuration of Caddy apps other than HTTP (for example, dynamic_dns to keep DNS records pointed at your server with a dynamic IP address).
• Caddyfile fmt lint check. When running with a Caddyfile, Caddy will emit a warning if the Caddyfile is not formatted with caddy fmt.
• New abort directive. The abort directive is a special case of the static_response HTTP handler that prevents an HTTP response by aborting the handler chain immediately and forcefully closing the connection.
• New error directive. The error directive returns internal error values in the HTTP handler chain, as if an HTTP error had occurred, causing your error routes to be invoked.
• Configure response interception from Caddyfile. The reverse_proxy is capable of intercepting responses from the backend, and now this is exposed in the Caddyfile with handle_response.
• Better caddy list-modules output. Now modules are organized by standard and non-standard modules, so you can easily see if a Caddy build has been customized.
• Configure logging from Caddyfile. The process logs can now be configured from the global options of the Caddyfile.
• Better content negotiation. The file server can now be configured to serve precompressed sidecar files, and content encoding preferences are better configured and honored.
• Dark mode in directory listings. The file server's "browse" file listings now has a dark mode.
• ⚠️ Removed the logfmt log encoder. It was broken anyways, and its deprecation has been warned in previous releases.
• ⚠️ Deprecated common_log format. It will be removed in a future release. Issue #4148
• ⚠️ Deprecated health_path in reverse_proxy directive. It has been replaced with health_uri and will be removed in the future.
• Numerous bug fixes and improvements. Thanks for the detailed, helpful bug reports! We appreciate your collaboration in making Caddy better.

New content for sponsors

I've started writing high-quality, in-depth chatpers about how to get the most out of Caddy in my new Expert Caddy series, exclusively for sponsors! If you or your company are sponsoring, you can have access to this content, which I'll continue adding to over time.

If you aren't sponsoring yet, please do so! Sponsorships fund my full-time development of Caddy, and that's especially vital if your business relies on Caddy.

Changelog (since RC 1)

For a detailed list of all commits since v2.3.0, please refer to prior pre-release changelogs.

bc22102 caddyfile: Fix caddy fmt nesting not decrementing (#4157)
d4b2f1b caddyhttp: Fix fallback for the error handler chain (#4131)
61642b7 caddytls: Run replacer on ask URL, for env vars (#4154)
7776471 encode: Default to order the formats are enabled for prefer in Caddyfile (#4151)
f5db41c encode: Drop prefer from Caddyfile (#4156)
74f5d66 fileserver: Fix file matcher with empty try_files (#4147)
3cf443f httpcaddyfile: Add grace_period global option (#4152)
a17c3b5 reverseproxy: Minor logging improvements

v2.4.0-rc.1

This is a Release Candidate, meaning we think it's good enough to release but we want your help to make sure. It contains over 100 commits from the last stable release! Please report any bugs.

If you're coming from v2.3, be sure to check the change logs from the previous pre-releases as well.

Changelog

a8d4527 caddyfile: Fix import replacing unrelated placeholders (#4129)
3401f91 caddyfile: Normalize line endings before comparing fmt result (#4103)
3903642 caddyfile: reject cyclic imports (#4022)
d789596 caddyhttp: Implement better logic for inserting the HTTP->HTTPS redirs (#4033)
53ececd caddyhttp: performance improvement in HeaderRE Matcher (#4143)
1e218e1 caddytls: Add load_storage module (#4055)
42b7134 caddytls: Configurable storage clean interval
2250920 caddytls: Disable OCSP stapling for manual certs (#4064)
956f011 caddytls: Implement remote IP connection matcher (#4123)
e6f6d3a cmd: Add --envfile flag to start command (#4141)
3f6283b fileserver: Add status code override (#4076)
3a1e81d fileserver: Better handling of HTTP status override (#4132)
637fd8f fileserver: Share template logic for both templates and file_server browse (#4093)
00e12aa fuzz: fix the FuzzFormat comparison (#4117)
efe8449 go.mod: CertMagic v0.13.1
66783eb go.mod: Update quic-go to v0.20.1 (#4075)
ef7f15f httpcaddyfile: Add auto_https ignore_loaded_certs (#4077)
6e0e3e1 httpcaddyfile: Add global option for storage_clean_interval (#4134)
1455d6b httpcaddyfile: Fix panic in automation policy consolidation (#4104)
ff6ca57 httpcaddyfile: Fix unexpectedly removed policy (#4128)
96bb365 httpcaddyfile: Take into account host scheme/port (fix #4113)
45fb720 notify: Send all sd_notify signals from main caddy process (#4060)
e4a22de reverseproxy: Add handle_response blocks to reverse_proxy (#3712) (#4021)
4d0474e reverseproxy: Admin endpoint for reporting upstream statuses (#4125)
9017557 reverseproxy: fix hash selection policy (#4137)

v2.4.0-beta.2

The beta channel marches on for 2.4 with beta 2. In addition to the changes/additions/improvements from the previous beta, this release includes:

(Please see release notes for v2.4 stable for highlights.)

Changelog

a87f757 .gitignore: add IDE files (#4087)
28a4159 CONTRIBUTING: fix spelling (#4070)
aac1ccf caddy: Add InstanceID() method
ec3ac84 caddy: Support SetReadBuffer and SyscallConn for QUIC (fix #3998)
2a127ac caddyconfig: add global option for configuring loggers (#4028)
d63d5ae caddyhttp: improve grammar of comment for AllowH2C (#4072)
ec309c6 caddypki: Add SignWithRoot option for ACME server
f6bb02b caddytls: Remove old asset migration code (close #3894)
911c8a3 cmd: Use formatted logger for config adapter warnings (#4080)
87fbc07 cmd: main: fix minor doc typos (#4082)
a8fdc0a core: Initialize logging before admin
f35a7fa encode,staticfiles: Content negotiation, precompressed files (#4045)
0018b9b fileserver: Add a few more debug lines (#4063)
a48c620 fileserver: Browse listing supports dark mode (#4066)
5bf0a55 fileserver: Don't replace in request paths (fix #4027)
427bbe9 go.mod: Latest CertMagic (updated libdns conventions)
1c8ea00 go.mod: Migrate to golang.org/x/term (#4073)
a0a7c60 go.mod: Use latest CertMagic
f1c3668 headers: Fix Caddyfile parsing for request_header with matchers (#4085)
0d7fe36 httpcaddyfile: Add error directive for the existing handler (#4034)
bafb562 httpcaddyfile: Configure other apps from global options (#3990)
edb362a httpcaddyfile: Fix catch-all site block sorting
f137b82 logging: add replace filter for static value replacement (#4029)
802f80c map: Accept regex substitution in outputs (#3991)
6722ae3 reverseproxy: Add duration/latency placeholders (close #4012) (#4013)
ce5a093 reverseproxy: Fix round robin data race (#4038)
51f35ba reverseproxy: Fix upstreams with placeholders with no port (#4046)
75f797d reverseproxy: Implement health_uri, deprecate health_path, supports query (#4050)
bd357bf reverseproxy: Set cookie path to / when using cookie lb_policy (#4096)
ad8d01c rewrite: Implement regex path replacements
a6bc581 sigtrap_posix: add missing comma to SIGTERM info (#4078)

v2.4.0-beta.1

"Surprise, surprise, surprise!" (Do you know which classic TV character that quote is from?) We've made a lot of progress on new features since v2.3, and all the major work slated for v2.4 is already done! This is a preview release.

This is a preview release. There's still some fine-tuning we need to do which is delaying the release candidates, but I wanted to roll out some of the exciting improvements early so you can start testing them. As far as I can tell, this tag is relatively stable. However, please expect bugs; though I bet most of them will be minor or limited to edge cases.

Documentation will be updated in the coming weeks. Until then, please refer to individual commits/issues (below) and the code base directly (it is easy to search and read) for docs. We're happy to help on our forums too.

For highlights, see release notes for v2.4.0 stable.

Many other things have been added, changed, or improved as well. See all the commits for details.

Please give this a try in low-risk environments as soon as you can, and we'll be able to ship a better v2.4 stable!

Changelog

bf50d70 acmeserver: Support custom CAs from Caddyfile
ab80ff4 admin: Identity management, remote admin, config loaders (#3994)
3366384 caddycmd: Add upgrade command (#3972)
c8557dc caddyfile: Introduce basic linting and fmt check (#3923)
f021696 caddyfile: Refactor unmarshaling of module tokens
8ec90f1 caddyhttp: Check for invalid subdirectives of static_response
bef80cd caddyhttp: Fix redir html status code, improve flow (#3987)
e2c5c28 caddyhttp: Implement handler abort; new 'abort' directive (close #3871) (#3983)
cc63c58 caddyhttp: Support placeholders in header matcher values (close #3916)
160d199 caddytest: Update Caddyfile tests for formatting, HTTP-only blocks
09432ba caddytls: Configurable OCSP stapling; global option (closes #3714)
51e3fdb caddytls: Save email with account if not already specified
8b6fdc0 caddytls: add 'key_type' subdirective (#3956)
2772ede cmd: Add --force flag to reload command (close #4005)
ed67823 cmd: Clean up build-info and upgrade output
59071ea cmd: Implement sd_notify() to notify systemd about readiness (#3963)
144b65c cmd: Organize list-modules output; --packages flag (#3925)
8f6f986 cmd: Print more detailed version with --environ
b1bec8c go.mod: Update CertMagic and acmez (improved IDN support)
8c29129 httpcaddyfile: Add resolvers subdir of tls (close #4008)
7846bc1 httpcaddyfile: Adjust iterator when removing AP (fix #3953)
653a0d3 httpcaddyfile: Fix automation policies
90284e8 httpcaddyfile: Fix default issuers when email provided
d68cff8 httpcaddyfile: Skip TLS APs for HTTP-only hosts (fix #3977)
55e49ff httpcaddyfile: Sort catch-all site blocks properly (fix #4003)
c2b91db httpcaddyfile: Support repeated use of cert_issuer global option
c986110 httpcaddyfile: Warn if site address uses unspecified IP (close #4004)
ef54483 logging: Remove logfmt encoder (close #3575)
58e83a8 map: Add missing json struct tag
3c9256a reverseproxy: Caddyfile health check headers, host header support (#3948)
5ef76ff reverseproxy: Response buffering & configurable buffer size
88a38bd rewrite: Use RawPath instead of Path (fix #3596) (#3918)
14f50d9 templates: Add fileExists and httpError template actions

v2.3.0

Caddy 2.3 is the first web server to be able to get certificates from multiple issuers (for redundancy)! We've also optimized several things for large-scale deployments, as there are businesses using Caddy to serve tens of thousands of sites per instance.

The main highlights of this release include:

• Multi-issuer support. Caddy can now get certificates from multiple issuers for redundancy; if one fails, another will be tried. Caddy's new defaults are Let's Encrypt and ZeroSSL. You can customize these, including adding local/self-signed certificates as a last resort if desired. Caddy is the first web server to support multiple issuers, offering unrivaled reliability for your site's HTTPS. It is the first ACME client to support multiple CA fallbacks.

• Improved on-demand TLS. On-demand TLS is an operating mode by which certificate obtain/renew operations are triggered on a TLS handshake that requires them, rather than happening at config-load time. We've moved a lot of the processing to the background where possible (e.g. when an existing certificate is still usable) so more connections will finish their handshakes faster, and fewer handshakes will fail (however, you still need to watch the logs and fix the errors before it's too late). Several businesses we know of currently rely on this unique feature at a scale of tens of thousands of sites.

• Support for alternate certificate chains. You can now customize which certificate chains to download from ACME servers that offer more than one.

• New map handler is ready for production use. (Caddyfile docs) It's been in Caddy for a few versions now but it's finally ready for production, with enhanced efficiency and functionality. We have been using this handler with a customer in production for a while now, on an instance that is handling thousands of sites.

• Customize servers and listeners with the Caddyfile. The Caddyfile structure is oriented around sites for convenience, so customizing servers has not been possible until now. You can now use global options to configure servers and their listeners (for example, protocol options, socket read options, and more) without having to use JSON config.

Of course, there are also numerous bug fixes and other enhancements, including bringing more configuration options into the Caddyfile. Thank you to everyone who contributed code, code reviews, or participated in the pre-releases.

There are a couple of minor breaking changes, but one was not documented and the other has always been an experimental feature:

• ⚠️ The remote_ip matcher no longer reads the X-Forwarded-For header by default. This was undocumented behavior, and an unsafe default. If you happened to be relying on this, please enable forwarded (in the Caddyfile, just put forwarded as the first argument before the ranges) to maintain that behavior. Remember that headers are very easy to spoof.

• ⚠️ The experimental_http3 global option in the Caddyfile has been replaced with global server options, one of which is the experimental_http3 protocol. Docs will be updated shortly. This is still an unstable feature until HTTP/3 is finalized and our upstream QUIC/H3 lib is stable and we've decided to keep HTTP/3 enabled in the core by default.

• ⚠️ The "issuer" field in TLS automation policies is deprecated and will be removed in the future, please switch to "issuers".

Along with this release, we've taken the opportunity to consolidate our documentation regarding getting/installing Caddy. There is no more /docs/download page, instead it was combined with /docs/install which better organizes the various official and unofficial ways to get Caddy. (To be clear, our download page at /download is still available.) Also, we started using Cloudsmith for our Debian packaging -- they're donating this service to our open source project and their team has been a pleasure to work with.

This release is the work of at least 20 contributors. Thank you!

Changelog

c5197f5 acme_server: fix reload of acme database (#3874)
06ba006 acme_server: switch to bbolt storage (#3868)
7a3d9d8 basicauth: Minor internal improvements (#3861)
937ec34 caddyauth: Prevent user enumeration by timing
4cff36d caddyauth: Use buffered channel passed to signal.Notify (#3895)
3d0e046 caddyauth: Use structured log
c6dec30 caddyfile: Add support for env var defaults; add tests (#3682)
635f075 caddyfile: Fix minor bug in formatter
63bda6a caddyhttp: Clean up internal auto-HTTPS redirect code
b8a799d caddyhttp: Document that remote_ip reads X-Forwarded-For header
4fc5707 caddyhttp: Fix header matcher when using nil
966d5e6 caddyhttp: Merge header matchers in Caddyfile (#3832)
b4f49e2 caddyhttp: Merge query matchers in Caddyfile (#3839)
1438e4d caddyhttp: New idle_timeout default of 5m
9157051 caddyhttp: Optimize large host matchers
deedf8a caddyhttp: Optionally use forwarded IP for remote_ip matcher
349457c caddyhttp: Return error if error handling error
b0f8fc7 caddytls: Configure trusted CAs from PEM files (#3882)
e384f07 caddytls: Improve alt chain preference settings
95af426 caddytls: Support ACME alt cert chain preferences
13781e6 caddytls: Support multiple issuers (#3862)
e7a5a38 cmd: add ability to read config from stdin (#3898)
eda9a1b fastcgi: Add timeouts support to Caddyfile adapter (#3842)
6e9ac24 fastcgi: Set PATH_INFO to file matcher remainder as fallback (#3739)
7d7434c fileserver: Add debug logging
d8bcf5b fileserver: Fix "go up" links in browse listings (closes #3942)
8d038ca fileserver: Improve and clarify file hiding logic (#3844)
0a7721d fileserver: Preserve transformed root (fix #3838)
b6e96d6 go.mod: Update CertMagic
a748151 go.mod: Update CertMagic (fix #3911)
1e480b8 go.mod: update quic-go to v0.19.2 (#3880)
5643dc3 go.mod: update quic-go to v0.19.3 (#3901)
31fbcd7 go.mod: Upgrade some dependencies
a26f70a headers: Fix Caddyfile parsing with request matcher (#3892)
b0d5c2c headers: Support default header values in Caddyfile with '?' (#3807)
7c28ecb httpcaddyfile: Add certificate_pem placeholder short, add to godoc (#3846)
3cfefeb httpcaddyfile: Configure servers via global options (#3836)
7e71915 httpcaddyfile: Decrement counter when removing conn policy (fix #3906)
03d853e httpcaddyfile: Fix test on Windows
b6686a5 httpcaddyfile: Improve AP logic with OnDemand
63afffc httpcaddyfile: Proper log config with catch-all blocks (fix #3878)
db4f1c0 httpcaddyfile: Revise automation policy generation (#3824)
c898a37 httpcaddyfile: support matching headers that do not exist (#3909)
dd26875 logging: Fix for IP filtering
ebc278e metrics: allow disabling OpenMetrics negotiation (#3944)
670b723 requestbody: Add Caddyfile support (#3859)
99b8f44 reverse_proxy: Fix random_choose selection policy (#3811)
4a641f6 reverseproxy: Add Caddyfile scheme shorthand for h2c (#3629)
b660993 reverseproxy: Add max_idle_conns_per_host; fix godocs (#3829)
53aa60a reverseproxy: Handle "operation was canceled" errors (#3816)
6e0849d reverseproxy: Implement cookie hash selection policy (#3809)
9605853 reverseproxy: Logging for streaming and upgrades (#3689)
132525d reverseproxy: Minor lint fixes
860cc6a reverseproxy: Wire up some http transport options in Caddyfile (#3843)
c9fdff9 reverseproxy: caddyfile: Don't add port if upstream has placeholder (#3819)
6ea6f3e reverseproxy: fix random hangs on http/2 requests with server push (#3875)